diff --git a/marklogic-data-hub/src/main/java/com/marklogic/hub/hubcentral/HubCentralManager.java b/marklogic-data-hub/src/main/java/com/marklogic/hub/hubcentral/HubCentralManager.java
index f7f52d5743..1fa09ff386 100644
--- a/marklogic-data-hub/src/main/java/com/marklogic/hub/hubcentral/HubCentralManager.java
+++ b/marklogic-data-hub/src/main/java/com/marklogic/hub/hubcentral/HubCentralManager.java
@@ -244,6 +244,9 @@ protected void extractZipToProject(HubProject hubProject, File zipFile) {
                 int entrySize = (int) entry.getSize();
                 byte[] buffer = new byte[entrySize];
                 File outputFile = new File(projectDir, entry.getName());
+                if (!outputFile.toPath().normalize().startsWith(projectDir.toPath().normalize())) {
+                    throw new IOException("Bad zip entry");
+                }
                 outputFile.getParentFile().mkdirs();
                 try (InputStream inputStream = zip.getInputStream(entry);
                      FileOutputStream fileOut = new FileOutputStream(outputFile)) {