diff --git a/packager/react-packager/src/AssetServer/index.js b/packager/react-packager/src/AssetServer/index.js
index 71356acf38f6ab..57d1aea2c1f188 100644
--- a/packager/react-packager/src/AssetServer/index.js
+++ b/packager/react-packager/src/AssetServer/index.js
@@ -129,16 +129,23 @@ class AssetServer {
   _findRoot(roots, dir) {
     return Promise.all(
       roots.map(root => {
-        const absPath = path.join(root, dir);
+        // important: we want to resolve root + dir
+        // to ensure the requested path doesn't traverse beyond root
+        const absPath = path.resolve(root, dir);
         return stat(absPath).then(fstat => {
-          return {path: absPath, isDirectory: fstat.isDirectory()};
-        }, err => {
-          return {path: absPath, isDirectory: false};
+          // keep asset requests from traversing files
+          // up from the root (e.g. ../../../etc/hosts)
+          if (!absPath.startsWith(root)) {
+            return {path: absPath, isValid: false};
+          }
+          return {path: absPath, isValid: fstat.isDirectory()};
+        }, _ => {
+          return {path: absPath, isValid: false};
         });
       })
     ).then(stats => {
       for (let i = 0; i < stats.length; i++) {
-        if (stats[i].isDirectory) {
+        if (stats[i].isValid) {
           return stats[i].path;
         }
       }