diff --git a/core/src/main/java/org/yes/cart/utils/impl/ZipUtils.java b/core/src/main/java/org/yes/cart/utils/impl/ZipUtils.java
index aa2de5651f..7986e42564 100644
--- a/core/src/main/java/org/yes/cart/utils/impl/ZipUtils.java
+++ b/core/src/main/java/org/yes/cart/utils/impl/ZipUtils.java
@@ -82,7 +82,11 @@ private void unzipEntry(final ZipFile zipfile, final ZipArchiveEntry entry, fina
             return;
         }
 
-        File outputFile = new File(outputDir, entry.getName());
+        File outputFile = new File(outputDir, entry.getName());
+
+        if (!outputFile.toPath().normalize().startsWith(outputDir.toPath().normalize())) {
+            throw new IOException("Bad zip entry");
+        }
         if (!outputFile.getParentFile().exists()) {
             createDir(outputFile.getParentFile());
         }