diff --git a/src/main/java/io/jenkins/blueocean/maven/plugin/ProcessUpstreamDependenciesMojo.java b/src/main/java/io/jenkins/blueocean/maven/plugin/ProcessUpstreamDependenciesMojo.java
index 4ae289a..5fa90d0 100644
--- a/src/main/java/io/jenkins/blueocean/maven/plugin/ProcessUpstreamDependenciesMojo.java
+++ b/src/main/java/io/jenkins/blueocean/maven/plugin/ProcessUpstreamDependenciesMojo.java
@@ -113,6 +113,9 @@ public void execute() throws MojoExecutionException {
                             continue;
                         }
                         File outFile = new File(outDir, entry.getName());
+                        if (!outFile.toPath().normalize().startsWith(outDir.toPath())) {
+                            throw new RuntimeException("Bad zip entry");
+                        }
                         if (!outFile.exists() || outFile.lastModified() < artifactLastModified) {
                             if (getLog().isDebugEnabled()) getLog().debug("Copying file: " + outFile.getAbsolutePath());
                             File parentFile = outFile.getParentFile();