diff --git a/src/Codeception/Command/SelfUpdate.php b/src/Codeception/Command/SelfUpdate.php
index 82e1f9925c..2b7f4ea075 100644
--- a/src/Codeception/Command/SelfUpdate.php
+++ b/src/Codeception/Command/SelfUpdate.php
@@ -178,7 +178,13 @@ protected function retrieveLatestPharFile(OutputInterface $output)
                 $phar = new \Phar($temp);
                 // free the variable to unlock the file
                 unset($phar);
-                rename($temp, $this->filename);
+                // Before using $this->filename in rename
+                $realFilename = realpath($this->filename);
+                if ($realFilename === false || strpos($realFilename, getcwd()) !== 0) {
+                    throw new \Exception('Invalid target filename for update.');
+                }
+                rename($temp, $realFilename);
+                $this->filename = $realFilename;
             } else {
                 throw new \Exception('Request failed.');
             }