diff --git a/packages/backend/src/queue/processors/db/export-custom-emojis.ts b/packages/backend/src/queue/processors/db/export-custom-emojis.ts
index c7e2e825d..f31531db4 100644
--- a/packages/backend/src/queue/processors/db/export-custom-emojis.ts
+++ b/packages/backend/src/queue/processors/db/export-custom-emojis.ts
@@ -58,6 +58,10 @@ export async function exportCustomEmojis(job: Bull.Job, done: () => void): Promi
 	});
 
 	for (const emoji of customEmojis) {
+		if (!/^[a-zA-Z0-9_]+$/.test(emoji.name)) {
+			this.logger.error(`invalid emoji name: ${emoji.name}, skipping in emoji export`);
+			continue;
+		}
 		const ext = mime.extension(emoji.type);
 		const fileName = emoji.name + (ext ? '.' + ext : '');
 		const emojiPath = path + '/' + fileName;
diff --git a/packages/backend/src/queue/processors/db/import-custom-emojis.ts b/packages/backend/src/queue/processors/db/import-custom-emojis.ts
index 1d06d5ff8..855017460 100644
--- a/packages/backend/src/queue/processors/db/import-custom-emojis.ts
+++ b/packages/backend/src/queue/processors/db/import-custom-emojis.ts
@@ -50,6 +50,10 @@ export async function importCustomEmojis(job: Bull.Job<DbUserImportJobData>, don
 
 		for (const record of meta.emojis) {
 			if (!record.downloaded) continue;
+			if (!/^[a-zA-Z0-9_]+?([a-zA-Z0-9\.]+)?$/.test(record.fileName)) {
+				this.logger.error(`invalid filename: ${record.fileName}, skipping in emoji import`);
+				continue;
+			}
 			const emojiInfo = record.emoji;
 			const emojiPath = outputPath + '/' + record.fileName;
 			await Emojis.delete({