diff --git a/WHATSNEW b/WHATSNEW
index 7d98d7bc2..e5baae1fa 100644
--- a/WHATSNEW
+++ b/WHATSNEW
@@ -9,10 +9,12 @@ Changes that could break older environments:
    destination directory anymore by default. A new attribute
    allowFilesToEscapeDest can be used to override the behavior.
    Another special case is when stripAbsolutePathSpec is false (which
-   still is the default) and the entry's name starts with a
+   no longer is the default) and the entry's name starts with a
    (back)slash and allowFilesToEscapeDest hasn't been specified
    explicitly, in this case the file may be created outside of the
    dest directory as well.
+   In addition stripAbsolutePathSpec is now true by default.
+   Based on a recommendation by the Snyk Security Research Team.
 
 Fixed bugs:
 -----------
diff --git a/manual/Tasks/unzip.html b/manual/Tasks/unzip.html
index 8b67f3b6c..7076e5a3a 100644
--- a/manual/Tasks/unzip.html
+++ b/manual/Tasks/unzip.html
@@ -108,7 +108,8 @@ extract an Ant generated ZIP archive.</p>
       name before extracting it.  Note that this changes the entry name before
       applying <code>include</code>/<code>exclude</code> patterns and before using the nested
       mappers (if any).  <em>since Ant 1.8.0</em></td>
-    <td>No; defaults to <q>false</q></td>
+    <td>No; defaults to <q>true</q> since 1.10.4
+      (used to defaukt to <q>false</q> prior to that)</td>
   </tr>
   <tr>
     <td>scanForUnicodeExtraFields</td>
diff --git a/src/main/org/apache/tools/ant/taskdefs/Expand.java b/src/main/org/apache/tools/ant/taskdefs/Expand.java
index 51f4043ff..de50311ed 100644
--- a/src/main/org/apache/tools/ant/taskdefs/Expand.java
+++ b/src/main/org/apache/tools/ant/taskdefs/Expand.java
@@ -75,7 +75,7 @@ public class Expand extends Task {
     private Union resources = new Union();
     private boolean resourcesSpecified = false;
     private boolean failOnEmptyArchive = false;
-    private boolean stripAbsolutePathSpec = false;
+    private boolean stripAbsolutePathSpec = true;
     private boolean scanForUnicodeExtraFields = true;
     private Boolean allowFilesToEscapeDest = null;
 
diff --git a/src/tests/antunit/taskdefs/unzip-test.xml b/src/tests/antunit/taskdefs/unzip-test.xml
index a220bc186..bdf5f61e1 100644
--- a/src/tests/antunit/taskdefs/unzip-test.xml
+++ b/src/tests/antunit/taskdefs/unzip-test.xml
@@ -101,16 +101,16 @@ public class A {
     <available property="can-write-to-tmp!" file="/tmp/testdir/"/>
   </target>
 
-  <target name="testEntriesCanEscapeDestViaAbsolutePathByDefault"
+  <target name="testEntriesCanEscapeDestViaAbsolutePathIfPermitted"
           depends="-can-write-to-tmp?" if="can-write-to-tmp!">
-    <unzip src="zip/direscape-absolute.zip" dest="${output}"/>
+    <unzip src="zip/direscape-absolute.zip" dest="${output}"
+           stripAbsolutePathSpec="false"/>
     <au:assertFileExists file="/tmp/testdir/a"/>
   </target>
 
-  <target name="testEntriesDontEscapeDestViaAbsolutePathIfProhibited"
+  <target name="testEntriesDontEscapeDestViaAbsolutePathByDefault"
           depends="-can-write-to-tmp?" if="can-write-to-tmp!">
-    <unzip src="zip/direscape-absolute.zip" dest="${output}"
-           allowFilesToEscapeDest="false"/>
+    <unzip src="zip/direscape-absolute.zip" dest="${output}"/>
     <au:assertFileDoesntExist file="/tmp/testdir/a"/>
   </target>
 </project>
