diff --git a/se/src/main/java/org/jboss/forge/furnace/se/BootstrapClassLoader.java b/se/src/main/java/org/jboss/forge/furnace/se/BootstrapClassLoader.java
index 8adc28a1..a596702c 100644
--- a/se/src/main/java/org/jboss/forge/furnace/se/BootstrapClassLoader.java
+++ b/se/src/main/java/org/jboss/forge/furnace/se/BootstrapClassLoader.java
@@ -110,7 +110,11 @@ private List<URL> handleZipStream(URL original) throws IOException, FileNotFound
                   try
                   {
                      byte[] buffer = new byte[2048];
-                     output = new FileOutputStream(new File(tempDir, entry.getName()));
+                     final File zipEntryFile = new File(tempDir, entry.getName());
+                     if (!zipEntryFile.toPath().normalize().startsWith(tempDir.toPath().normalize())) {
+                        throw new IOException("Bad zip entry");
+                     }
+                     output = new FileOutputStream(zipEntryFile);
                      int len = 0;
                      while ((len = stream.read(buffer)) > 0)
                      {