diff --git a/server/utils/plugin-loader.js b/server/utils/plugin-loader.js
index a13a7fff..5759b715 100644
--- a/server/utils/plugin-loader.js
+++ b/server/utils/plugin-loader.js
@@ -146,7 +146,12 @@ export function installPluginFromGit(url) {
     }
 
     const pluginsDir = getPluginsDir();
-    const targetDir = path.join(pluginsDir, repoName);
+    const targetDir = path.resolve(pluginsDir, repoName);
+
+    // Ensure the resolved target directory stays within the plugins directory
+    if (!targetDir.startsWith(pluginsDir + path.sep)) {
+      return reject(new Error('Invalid plugin directory path'));
+    }
 
     if (fs.existsSync(targetDir)) {
       return reject(new Error(`Plugin directory "${repoName}" already exists`));