diff --git a/testng-core/src/main/java/org/testng/JarFileUtils.java b/testng-core/src/main/java/org/testng/JarFileUtils.java
index c0bb86f5b0..b86d9debf8 100644
--- a/testng-core/src/main/java/org/testng/JarFileUtils.java
+++ b/testng-core/src/main/java/org/testng/JarFileUtils.java
@@ -76,6 +76,10 @@ private boolean testngXmlExistsInJar(File jarFile, List<String> classes) throws
         if (Parser.canParse(jeName.toLowerCase())) {
           InputStream inputStream = jf.getInputStream(je);
           File copyFile = new File(file, jeName);
+          if (!copyFile.toPath().normalize().startsWith(file.toPath().normalize())) {
+            throw new IOException("Bad zip entry");
+          }
+          copyFile.getParentFile().mkdirs();
           Files.copyFile(inputStream, copyFile);
           if (matchesXmlPathInJar(je)) {
             suitePath = copyFile.toString();