diff --git a/planetiler-core/src/main/java/com/onthegomap/planetiler/reader/NaturalEarthReader.java b/planetiler-core/src/main/java/com/onthegomap/planetiler/reader/NaturalEarthReader.java
index 14ae862a..2711fdb2 100644
--- a/planetiler-core/src/main/java/com/onthegomap/planetiler/reader/NaturalEarthReader.java
+++ b/planetiler-core/src/main/java/com/onthegomap/planetiler/reader/NaturalEarthReader.java
@@ -15,7 +15,6 @@ import java.nio.charset.StandardCharsets;
 import java.nio.file.FileSystems;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.nio.file.StandardCopyOption;
 import java.sql.Connection;
 import java.sql.DriverManager;
 import java.sql.ResultSet;
@@ -101,10 +100,14 @@ public class NaturalEarthReader extends SimpleReader<SimpleFeature> {
           .findFirst()
           .orElseThrow(() -> new IllegalArgumentException("No .sqlite file found inside " + path));
         extracted = unzippedDir.resolve(URLEncoder.encode(zipEntry.toString(), StandardCharsets.UTF_8));
+        if (!extracted.startsWith(unzippedDir)) {
+          throw new IllegalArgumentException(
+            "Zip file tried to extract child outside of folder: " + zipEntry.getFileName());
+        }
         FileUtils.createParentDirectories(extracted);
         if (!keepUnzipped || FileUtils.isNewer(path, extracted)) {
           LOGGER.info("unzipping {} to {}", path.toAbsolutePath(), extracted);
-          Files.copy(Files.newInputStream(zipEntry), extracted, StandardCopyOption.REPLACE_EXISTING);
+          FileUtils.safeCopy(Files.newInputStream(zipEntry), extracted);
         }
         if (!keepUnzipped) {
           extracted.toFile().deleteOnExit();
diff --git a/planetiler-core/src/main/java/com/onthegomap/planetiler/util/FileUtils.java b/planetiler-core/src/main/java/com/onthegomap/planetiler/util/FileUtils.java
index 1cbbe138..362ea09f 100644
--- a/planetiler-core/src/main/java/com/onthegomap/planetiler/util/FileUtils.java
+++ b/planetiler-core/src/main/java/com/onthegomap/planetiler/util/FileUtils.java
@@ -268,7 +268,7 @@ public class FileUtils {
    * @throws UncheckedIOException if an IO exception occurs
    */
   public static void safeCopy(InputStream inputStream, Path destPath) {
-    try (var outputStream = Files.newOutputStream(destPath, StandardOpenOption.CREATE, WRITE)) {
+    try (var outputStream = Files.newOutputStream(destPath, StandardOpenOption.CREATE, StandardOpenOption.WRITE)) {
       int totalSize = 0;
 
       int nBytes;