diff --git a/README.md b/README.md
index e5c7912e..dcf61aeb 100644
--- a/README.md
+++ b/README.md
@@ -683,6 +683,12 @@ with [environment variables]:
   BROWSERSLIST_DANGEROUS_EXTEND=1 npx webpack
    ```
 
+* `BROWSERSLIST_ROOT_PATH` to prevent reading files above this path.
+
+   ```sh
+  BROWSERSLIST_ROOT_PATH=. npx webpack
+   ```
+
 [environment variables]: https://en.wikipedia.org/wiki/Environment_variable
 
 
diff --git a/index.d.ts b/index.d.ts
index 7f8e7605..e47c5cfe 100644
--- a/index.d.ts
+++ b/index.d.ts
@@ -193,6 +193,7 @@ declare global {
       BROWSERSLIST_ENV?: string
       BROWSERSLIST_IGNORE_OLD_DATA?: string
       BROWSERSLIST_STATS?: string
+      BROWSERSLIST_ROOT_PATH?: string
     }
   }
 }
diff --git a/node.js b/node.js
index ab3124cb..a935371d 100644
--- a/node.js
+++ b/node.js
@@ -50,12 +50,22 @@ function eachParent(file, callback) {
   var dir = isFile(file) ? path.dirname(file) : file
   var loc = path.resolve(dir)
   do {
+    if (!pathInRoot(loc)) break;
     var result = callback(loc)
     if (typeof result !== 'undefined') return result
   } while (loc !== (loc = path.dirname(loc)))
   return undefined
 }
 
+function pathInRoot(p) {
+  if (!process.env.BROWSERSLIST_ROOT_PATH) return true
+  var rootPath = path.resolve(process.env.BROWSERSLIST_ROOT_PATH);
+  if (path.relative(rootPath, p).substring(0,2) === '..') {
+    return false;
+  }
+  return true
+}
+
 function check(section) {
   if (Array.isArray(section)) {
     for (var i = 0; i < section.length; i++) {
diff --git a/test/config.test.js b/test/config.test.js
index 9711334b..e993715a 100644
--- a/test/config.test.js
+++ b/test/config.test.js
@@ -120,4 +120,16 @@ test('reads config with one string', () => {
   equal(browserslist.findConfig(STRING), { defaults: 'ie 9, ie 8' })
 })
 
+test('stops at ROOT', () => {
+  browserslist.clearCaches()
+  process.env.BROWSERSLIST_ROOT_PATH = join(__dirname, 'fixtures', 'dir')
+  equal(browserslist.findConfig(FILE), undefined)
+})
+
+test('allows up to ROOT', () => {
+  browserslist.clearCaches()
+  process.env.BROWSERSLIST_ROOT_PATH = join(__dirname, 'fixtures')
+  equal(browserslist.findConfig(FILE), { defaults: ['ie 11', 'ie 10'] })
+})
+
 test.run()
diff --git a/test/main.test.js b/test/main.test.js
index f8d136d8..2ba22205 100644
--- a/test/main.test.js
+++ b/test/main.test.js
@@ -21,6 +21,7 @@ test.after.each(() => {
   delete process.env.BROWSERSLIST
   delete process.env.BROWSERSLIST_CONFIG
   delete process.env.BROWSERSLIST_ENV
+  delete process.env.BROWSERSLIST_ROOT_PATH
 })
 
 test('accepts array', () => {