diff --git a/package.json b/package.json
index c2e2a65..5af38b7 100644
--- a/package.json
+++ b/package.json
@@ -78,7 +78,7 @@
     "why-is-node-running": "^3.2.2"
   },
   "dependencies": {
-    "@fastify/reply-from": "^12.4.0",
+    "@fastify/reply-from": "^12.5.0",
     "fast-querystring": "^1.1.2",
     "fastify-plugin": "^5.1.0",
     "ws": "^8.18.3"
diff --git a/test/test.js b/test/test.js
index 4df07eb..30d2829 100644
--- a/test/test.js
+++ b/test/test.js
@@ -846,6 +846,27 @@ async function run () {
     t.assert.strictEqual(body, `this is "variable-api" endpoint with id 123 and query params ${queryParams}`)
   })
 
+  test('check against traversal attempts', async t => {
+    const server = Fastify()
+    server.register(proxy, {
+      upstream: `http://localhost:${origin.server.address().port}/bar/`,
+      preHandler (_, reply) {
+        reply.from('/foo/%2E%2E/bar')
+      }
+    })
+
+    await server.listen({ port: 0 })
+    t.after(() => server.close())
+
+    {
+      const response = await fetch(`http://localhost:${server.server.address().port}/%2e%2e`)
+      t.assert.strictEqual(response.status, 400)
+      const text = await response.json()
+      t.assert.strictEqual(text.error, 'Bad Request')
+      t.assert.strictEqual(text.message, 'source/request contain invalid characters')
+    }
+  })
+
   test('manual from call via fromParameters', async t => {
     const server = Fastify()
     server.register(proxy, {