diff --git a/apps/microtvm/arduino/template_project/microtvm_api_server.py b/apps/microtvm/arduino/template_project/microtvm_api_server.py
index f121238a678d..218ade70587d 100644
--- a/apps/microtvm/arduino/template_project/microtvm_api_server.py
+++ b/apps/microtvm/arduino/template_project/microtvm_api_server.py
@@ -177,11 +177,28 @@ def _remove_unused_components(self, source_dir, project_type):
         for component in unused_components:
             shutil.rmtree(source_dir / "standalone_crt" / component)
 
+    def _safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+        def is_within_directory(directory, member):
+
+            abs_directory = os.path.abspath(directory)
+            target = os.path.join(directory, member.name)
+            abs_target = os.path.abspath(target)
+
+            prefix = os.path.commonprefix([abs_directory, abs_target])
+
+            return prefix == abs_directory
+
+        for member in tar.getmembers():
+            if not is_within_directory(path, member):
+                raise Exception("Attempted Path Traversal in Tar File attack. See CVE-2007-4559.")
+
+        tar.extractall(path, members, numeric_owner)
+
     def _disassemble_mlf(self, mlf_tar_path, source_dir):
         with tempfile.TemporaryDirectory() as mlf_unpacking_dir_str:
             mlf_unpacking_dir = pathlib.Path(mlf_unpacking_dir_str)
             with tarfile.open(mlf_tar_path, "r:") as tar:
-                tar.extractall(mlf_unpacking_dir)
+                self._safe_extract(tar, mlf_unpacking_dir)
 
             model_dir = source_dir / "model"
             model_dir.mkdir()
@@ -430,7 +447,7 @@ def generate_project(self, model_library_format_path, standalone_crt_dir, projec
         # Populate extra_files
         if extra_files_tar:
             with tarfile.open(extra_files_tar, mode="r:*") as tf:
-                tf.extractall(project_dir)
+                self._safe_extract(tf, project_dir)
 
         build_extra_flags = '"build.extra_flags='
         if extra_files_tar:
diff --git a/apps/microtvm/zephyr/template_project/microtvm_api_server.py b/apps/microtvm/zephyr/template_project/microtvm_api_server.py
index 227b0389445a..a97fb4e033ee 100644
--- a/apps/microtvm/zephyr/template_project/microtvm_api_server.py
+++ b/apps/microtvm/zephyr/template_project/microtvm_api_server.py
@@ -702,7 +702,28 @@ def generate_project(self, model_library_format_path, standalone_crt_dir, projec
         # Populate extra_files
         if extra_files_tar:
             with tarfile.open(extra_files_tar, mode="r:*") as tf:
-                tf.extractall(project_dir)
+
+                def is_within_directory(directory, member, path="."):
+
+                    abs_directory = os.path.abspath(directory)
+                    target = os.path.join(path, member.name)
+                    abs_target = os.path.abspath(target)
+
+                    prefix = os.path.commonprefix([abs_directory, abs_target])
+
+                    return prefix == abs_directory
+
+                def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+
+                    for member in tar.getmembers():
+                        if not is_within_directory(path, member):
+                            raise Exception(
+                                "Attempted Path Traversal in Tar File attack. See CVE-2007-4559."
+                            )
+
+                    tar.extractall(path, members, numeric_owner)
+
+                safe_extract(tf, project_dir)
 
     def build(self, options):
         if BUILD_DIR.exists():