diff --git a/xmppserver/src/main/java/org/jivesoftware/openfire/container/PluginMonitor.java b/xmppserver/src/main/java/org/jivesoftware/openfire/container/PluginMonitor.java
index 15905b6be7..0f86f1376a 100644
--- a/xmppserver/src/main/java/org/jivesoftware/openfire/container/PluginMonitor.java
+++ b/xmppserver/src/main/java/org/jivesoftware/openfire/container/PluginMonitor.java
@@ -479,7 +479,10 @@ private boolean unzipPlugin( String pluginName, Path file, Path dir )
                 for ( Enumeration e = zipFile.entries(); e.hasMoreElements(); )
                 {
                     JarEntry entry = (JarEntry) e.nextElement();
-                    Path entryFile = dir.resolve( entry.getName() ); // ignore possibility for zipslip as this is sanitized for if property is enabled lgtm [java/zipslip]
+                    Path entryFile = dir.resolve( entry.getName() );
+                 if (!entryFile.normalize().startsWith(dir.normalize())) {
+                  throw new IOException("Bad zip entry");
+                 } // ignore possibility for zipslip as this is sanitized for if property is enabled lgtm [java/zipslip]
                     // Ignore any manifest.mf entries.
                     if ( entry.getName().toLowerCase().endsWith( "manifest.mf" ) )
                     {