diff --git a/test/unit/test_utils.js b/test/unit/test_utils.js
index 5ca113989..db2fdc2fd 100644
--- a/test/unit/test_utils.js
+++ b/test/unit/test_utils.js
@@ -127,9 +127,23 @@ function createTemporaryNodeServer() {
 
   const fs = process.getBuiltinModule("fs"),
     http = process.getBuiltinModule("http");
+  function isAcceptablePath(requestUrl) {
+    try {
+      // Reject unnormalized paths, to protect against path traversal attacks.
+      const url = new URL(requestUrl, "https://localhost/");
+      return url.pathname === requestUrl;
+    } catch {
+      return false;
+    }
+  }
   // Create http server to serve pdf data for tests.
   const server = http
     .createServer((request, response) => {
+      if (!isAcceptablePath(request.url)) {
+        response.writeHead(400);
+        response.end("Invalid path");
+        return;
+      }
       const filePath = process.cwd() + "/test/pdfs" + request.url;
       fs.promises.lstat(filePath).then(
         stat => {