diff --git a/pkgmgr/registry.go b/pkgmgr/registry.go
index 51856f8..c92afc7 100644
--- a/pkgmgr/registry.go
+++ b/pkgmgr/registry.go
@@ -170,6 +170,10 @@ func registryPackagesUrl(cfg Config, validate bool) ([]Package, error) {
 			if (zipFile.Mode() & fs.ModeDir) > 0 {
 				continue
 			}
+			// Ensure there are no parent dir references in path
+			if strings.Contains(zipFile.Name, "..") {
+				continue
+			}
 			outPath := filepath.Join(
 				cachePath,
 				zipFile.Name,