diff --git a/fate-serving-common/src/main/java/com/webank/ai/fate/serving/common/utils/ZipUtil.java b/fate-serving-common/src/main/java/com/webank/ai/fate/serving/common/utils/ZipUtil.java
index 2a9065b4..daa6aa9d 100644
--- a/fate-serving-common/src/main/java/com/webank/ai/fate/serving/common/utils/ZipUtil.java
+++ b/fate-serving-common/src/main/java/com/webank/ai/fate/serving/common/utils/ZipUtil.java
@@ -54,7 +54,11 @@ public static String unzip(File zipFile, String outputDirectory) throws Exceptio
             while (entries.hasMoreElements()) {
                 ZipEntry entry = entries.nextElement();
 
-                File outputFile = new File(outputDirectory + uuid + File.separator + entry.getName());
+                File outputFile = new File(outputDirectory + uuid, entry.getName());
+
+                if (!outputFile.toPath().normalize().startsWith(outputDirectory + uuid)) {
+                    throw new RuntimeException("Bad zip entry");
+                }
                 if (entry.isDirectory()) {
                     outputFile.mkdirs();
                     continue;