diff --git a/cmd/manager/bin.go b/cmd/manager/bin.go
index b2f2f58c..d552c481 100644
--- a/cmd/manager/bin.go
+++ b/cmd/manager/bin.go
@@ -12,6 +12,7 @@ import (
 	"os/user"
 	"path/filepath"
 	"runtime"
+	"strings"
 )
 
 func installBinary(url, folder string) {
@@ -51,6 +52,12 @@ func installBinary(url, folder string) {
 			log.Fatal(err)
 		}
 
+		// Do not allow directory traversal as it's a security issue.
+		if strings.Contains(header.Name, "..") {
+			log.Printf("skipping archive entry with disallowed path")
+			continue
+		}
+
 		path := filepath.Join(targetPath, header.Name)
 		switch header.Typeflag {
 		case tar.TypeDir:
diff --git a/fstore/gzip.go b/fstore/gzip.go
index 0b311ba4..04ab933f 100644
--- a/fstore/gzip.go
+++ b/fstore/gzip.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 )
 
 func (h *FStore) unpackArchive(filename string, destination string) error {
@@ -55,6 +56,12 @@ func (h *FStore) unpackArchive(filename string, destination string) error {
 			break
 		}
 
+		// Do not allow directory traversal as it's a security issue.
+		if strings.Contains(entry.Name, "..") {
+			h.log.Warn().Str("archive", filename).Str("entry", entry.Name).Msg("skipping archive entry with disallowed path")
+			continue
+		}
+
 		typ := entry.Typeflag
 
 		h.log.Debug().