diff --git a/CHANGELOG.md b/CHANGELOG.md
index 58671b0..7245c14 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Change Log
 
+## 3.0.9
+### Security
+ - Escape path before evaluating resource rules (thanks to Colby Morgan). Prior to this, flask-cors incorrectly
+ evaluated CORS resource matching before path expansion. E.g. "/api/../foo.txt" would incorrectly match resources for
+ "/api/*" whereas the path actually expands simply to "/foo.txt"
+
 ## 3.0.8
 Fixes : DeprecationWarning: Using or importing the ABCs from 'collections' in Python 3.7.
 Thank you @juanmaneo and @jdevera for the contribution.
diff --git a/flask_cors/version.py b/flask_cors/version.py
index 8a7ae5d..f3b2d6d 100644
--- a/flask_cors/version.py
+++ b/flask_cors/version.py
@@ -1 +1 @@
-__version__ = '3.0.8'
+__version__ = '3.0.9'