diff --git a/cilium-cli/connectivity/check/deployment.go b/cilium-cli/connectivity/check/deployment.go
index 205bbd6fecd60..ad426119f7f28 100644
--- a/cilium-cli/connectivity/check/deployment.go
+++ b/cilium-cli/connectivity/check/deployment.go
@@ -1900,10 +1900,17 @@ func (ct *ConnectivityTest) deployPerf(ctx context.Context) error {
 		var lowPrioDeployAnnotations = annotations{bwPrioAnnotationString: "5"}
 		var highPrioDeployAnnotations = annotations{bwPrioAnnotationString: "6"}
 
-		ct.params.DeploymentAnnotations.Set(`{
-				"` + perClientLowPriorityDeploymentName + `": ` + lowPrioDeployAnnotations.String() + `,
-			    "` + perClientHighPriorityDeploymentName + `": ` + highPrioDeployAnnotations.String() + `
-			}`)
+		deployAnnos := map[string]annotations{
+			perClientLowPriorityDeploymentName:  lowPrioDeployAnnotations,
+			perClientHighPriorityDeploymentName: highPrioDeployAnnotations,
+		}
+		if jsonBytes, err := json.Marshal(deployAnnos); err != nil {
+			ct.Warnf("failed to marshal deployment annotations: %s", err)
+		} else {
+			if err := ct.params.DeploymentAnnotations.Set(string(jsonBytes)); err != nil {
+				ct.Warnf("failed to set deployment annotations: %s", err)
+			}
+		}
 		if err = ct.createServerPerfDeployment(ctx, perfServerDeploymentName, serverNode.Name, false); err != nil {
 			ct.Warnf("unable to create deployment: %s", err)
 		}
diff --git a/cilium-cli/sysdump/sysdump.go b/cilium-cli/sysdump/sysdump.go
index 63c1d4729d620..7f97d85be9a4d 100644
--- a/cilium-cli/sysdump/sysdump.go
+++ b/cilium-cli/sysdump/sysdump.go
@@ -2343,7 +2343,23 @@ func untar(src string, dst string) error {
 		if err != nil {
 			return err
 		}
-		filename := filepath.Join(dst, name)
+		cleanName := filepath.Clean(name)
+		// Security: Prevent Zip Slip (directory traversal)
+		if cleanName == "." || strings.HasPrefix(cleanName, "..") || filepath.IsAbs(cleanName) || strings.Contains(cleanName, "../") || strings.Contains(cleanName, `..\`) {
+			return fmt.Errorf("tar entry %q resolves outside of target dir", header.Name)
+		}
+		filename := filepath.Join(dst, cleanName)
+		absDst, err := filepath.Abs(dst)
+		if err != nil {
+			return err
+		}
+		absFile, err := filepath.Abs(filename)
+		if err != nil {
+			return err
+		}
+		if !strings.HasPrefix(absFile, absDst+string(os.PathSeparator)) && absFile != absDst {
+			return fmt.Errorf("tar entry %q would be extracted outside of target dir", header.Name)
+		}
 		directory := filepath.Dir(filename)
 		if err := os.MkdirAll(directory, 0755); err != nil {
 			return err
diff --git a/pkg/policy/l4.go b/pkg/policy/l4.go
index a25253014aed0..507c1998c2813 100644
--- a/pkg/policy/l4.go
+++ b/pkg/policy/l4.go
@@ -1207,7 +1207,7 @@ func (sp *PerSelectorPolicy) redirectType() redirectTypes {
 func (l4 *L4Filter) Marshal() string {
 	b, err := json.Marshal(l4)
 	if err != nil {
-		b = []byte("\"L4Filter error: " + err.Error() + "\"")
+		b = []byte(strconv.Quote("L4Filter error: " + err.Error()))
 	}
 	return string(b)
 }