diff --git a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
index f52bed34a9..753f85369e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
@@ -7,6 +7,8 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.nio.file.Path;
 import java.util.Base64;
 import javax.annotation.PostConstruct;
 import javax.servlet.http.HttpServletRequest;
@@ -88,8 +90,11 @@ public ResponseEntity<?> getProfilePicture(HttpServletRequest request) {
     }
     try {
       var id = request.getParameter("id");
-      var catPicture =
-          new File(catPicturesDirectory, (id == null ? RandomUtils.nextInt(1, 11) : id) + ".jpg");
+      Path normalizedPath = Paths.get(catPicturesDirectory.getAbsolutePath(), (id == null ? RandomUtils.nextInt(1, 11) : id) + ".jpg").normalize();
+      if (!normalizedPath.startsWith(catPicturesDirectory.getAbsolutePath())) {
+        return ResponseEntity.badRequest().body("Invalid file path");
+      }
+      var catPicture = normalizedPath.toFile();
 
       if (catPicture.getName().toLowerCase().contains("path-traversal-secret.jpg")) {
         return ResponseEntity.ok()