diff --git a/sh/shared/github-auth.sh b/sh/shared/github-auth.sh
index 5ee97d62..49d5059a 100755
--- a/sh/shared/github-auth.sh
+++ b/sh/shared/github-auth.sh
@@ -208,7 +208,7 @@ _download_and_install_gh() {
 
     # Extract expected checksum for our tarball from the checksums file
     local expected_checksum
-    expected_checksum=$(grep "${tarball}" "${checksums_file}" | awk '{print $1}')
+    expected_checksum=$(grep "  ${tarball}"'$' "${checksums_file}" | awk '{print $1}')
     if [[ -z "${expected_checksum}" ]]; then
         log_error "Checksum for ${tarball} not found in checksums.txt"
         rm -rf "${tmpdir}"
@@ -228,6 +228,14 @@ _download_and_install_gh() {
 
     log_info "SHA256 checksum verified for ${tarball}"
 
+    # Defense-in-depth: reject tarballs containing absolute paths or ../ traversal
+    # (CWE-22: path traversal). This check is cross-platform (GNU + BSD tar).
+    if tar -tzf "${tmpdir}/${tarball}" | grep -qE '(^/|\.\.)'; then
+        log_error "Tarball contains absolute paths or path traversal — refusing to extract"
+        rm -rf "${tmpdir}"
+        return 1
+    fi
+
     tar -xzf "${tmpdir}/${tarball}" -C "${tmpdir}" || {
         log_error "Failed to extract ${tarball}"
         rm -rf "${tmpdir}"