Index: trunk/src/org/openstreetmap/josm/gui/io/DownloadFileTask.java
===================================================================
--- trunk/src/org/openstreetmap/josm/gui/io/DownloadFileTask.java	(revision 17962)
+++ trunk/src/org/openstreetmap/josm/gui/io/DownloadFileTask.java	(revision 17964)
@@ -14,4 +14,6 @@
 import java.nio.file.Files;
 import java.nio.file.InvalidPathException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.nio.file.StandardCopyOption;
 import java.util.Enumeration;
@@ -181,4 +183,5 @@
      */
     public static void unzipFileRecursively(File file, String dir) throws IOException {
+        Path dirPath = Paths.get(dir);
         try (ZipFile zf = new ZipFile(file, StandardCharsets.UTF_8)) {
             Enumeration<? extends ZipEntry> es = zf.entries();
@@ -186,4 +189,8 @@
                 ZipEntry ze = es.nextElement();
                 File newFile = new File(dir, ze.getName());
+                // Checks for Zip Slip Vulnerability (CWE-22 / path traversal)
+                if (!newFile.toPath().normalize().startsWith(dirPath)) {
+                    throw new IOException("Bad zip entry - Invalid or malicious file, potential CWE-22 attack");
+                }
                 if (ze.isDirectory()) {
                     Utils.mkDirs(newFile);