diff --git a/homeassistant/components/media_source/local_source.py b/homeassistant/components/media_source/local_source.py
index d211b878b99..c29794ae8d7 100644
--- a/homeassistant/components/media_source/local_source.py
+++ b/homeassistant/components/media_source/local_source.py
@@ -48,7 +48,10 @@ class LocalSource(MediaSource):
     @callback
     def async_full_path(self, source_dir_id: str, location: str) -> Path:
         """Return full path."""
-        return Path(self.hass.config.media_dirs[source_dir_id], location)
+        base_path = self.hass.config.media_dirs[source_dir_id]
+        full_path = Path(base_path, location)
+        full_path.relative_to(base_path)
+        return full_path
 
     @callback
     def async_parse_identifier(self, item: MediaSourceItem) -> tuple[str, str]:
@@ -65,6 +68,9 @@ class LocalSource(MediaSource):
         except ValueError as err:
             raise Unresolvable("Invalid path.") from err
 
+        if Path(location).is_absolute():
+            raise Unresolvable("Invalid path.")
+
         return source_dir_id, location
 
     async def async_resolve_media(self, item: MediaSourceItem) -> PlayMedia:
diff --git a/tests/components/media_source/test_local_source.py b/tests/components/media_source/test_local_source.py
index 585f92c7a0f..cf50e967558 100644
--- a/tests/components/media_source/test_local_source.py
+++ b/tests/components/media_source/test_local_source.py
@@ -132,9 +132,13 @@ async def test_upload_view(
     hass: HomeAssistant,
     hass_client: ClientSessionGenerator,
     temp_dir,
+    tmpdir,
     hass_admin_user: MockUser,
 ) -> None:
     """Allow uploading media."""
+    # We need a temp dir that's not under tempdir fixture
+    extra_media_dir = tmpdir
+    hass.config.media_dirs["another_path"] = temp_dir
 
     img = (Path(__file__).parent.parent / "image_upload/logo.png").read_bytes()
 
@@ -167,6 +171,8 @@ async def test_upload_view(
         "media-source://media_source/test_dir/..",
         # Domain != media_source
         "media-source://nest/test_dir/.",
+        # Other directory
+        f"media-source://media_source/another_path///{extra_media_dir}/",
         # Completely something else
         "http://bla",
     ):
@@ -178,7 +184,7 @@ async def test_upload_view(
             },
         )
 
-        assert res.status == 400
+        assert res.status == 400, bad_id
         assert not (Path(temp_dir) / "bad-source-id.png").is_file()
 
     # Test invalid POST data