diff --git a/jangaroo-maven/jangaroo-maven-plugin/src/main/java/net/jangaroo/jooc/mvnplugin/sencha/SenchaUtils.java b/jangaroo-maven/jangaroo-maven-plugin/src/main/java/net/jangaroo/jooc/mvnplugin/sencha/SenchaUtils.java
index 9b9ef5434..e76d39fa7 100644
--- a/jangaroo-maven/jangaroo-maven-plugin/src/main/java/net/jangaroo/jooc/mvnplugin/sencha/SenchaUtils.java
+++ b/jangaroo-maven/jangaroo-maven-plugin/src/main/java/net/jangaroo/jooc/mvnplugin/sencha/SenchaUtils.java
@@ -396,6 +396,9 @@ public static void extractPkg(File archive, File targetDir) throws MojoExecution
             targetName = targetName.substring(Type.SWC_PKG_PATH.length());
           }
           File target = new File(targetDir, targetName);
+          if (!target.toPath().normalize().startsWith(targetDir.toPath().normalize())) {
+            throw new IOException("Bad zip entry");
+          }
           if (entry.isDirectory()) {
             FileHelper.ensureDirectory(target);
           } else {