diff --git a/lib/view.js b/lib/view.js
index d66b4a2d89c..3540451114b 100644
--- a/lib/view.js
+++ b/lib/view.js
@@ -27,6 +27,8 @@ var basename = path.basename;
 var extname = path.extname;
 var join = path.join;
 var resolve = path.resolve;
+var sep = path.sep;
+var isAbsolute = path.isAbsolute;
 
 /**
  * Module exports.
@@ -112,6 +114,13 @@ View.prototype.lookup = function lookup(name) {
 
     // resolve the path
     var loc = resolve(root, name);
+
+    // containment check: only for relative paths — absolute paths are intentional
+    if (!isAbsolute(name) && loc.indexOf(resolve(root) + sep) !== 0) {
+      debug('path traversal attempt blocked: "%s"', loc);
+      continue;
+    }
+
     var dir = dirname(loc);
     var file = basename(loc);
 
@@ -202,4 +211,4 @@ function tryStat(path) {
   } catch (e) {
     return undefined;
   }
-}
+}
\ No newline at end of file