diff --git a/testng-core/src/main/java/org/testng/JarFileUtils.java b/testng-core/src/main/java/org/testng/JarFileUtils.java
index 87237dfdd7..ff0cf32b4f 100644
--- a/testng-core/src/main/java/org/testng/JarFileUtils.java
+++ b/testng-core/src/main/java/org/testng/JarFileUtils.java
@@ -76,6 +76,9 @@ private boolean testngXmlExistsInJar(File jarFile, List<String> classes) throws
         if (Parser.canParse(jeName.toLowerCase())) {
           InputStream inputStream = jf.getInputStream(je);
           File copyFile = new File(file, jeName);
+          if (!copyFile.toPath().normalize().startsWith(file.toPath().normalize())) {
+            throw new IOException("Bad zip entry");
+          }
           copyFile.getParentFile().mkdirs();
           Files.copy(inputStream, copyFile.toPath());
           if (matchesXmlPathInJar(je)) {