diff --git a/Gemfile b/Gemfile
index ce84b212499..ea5075b875e 100644
--- a/Gemfile
+++ b/Gemfile
@@ -118,7 +118,7 @@ gem 'recaptcha', '~> 4.9.0', '< 4.10.0', :require => 'recaptcha/rails'
 gem 'rmagick', '~> 2.16.0'
 gem 'rolify', '~> 5.2.0'
 gem 'ruby-msg', '~> 1.5.0', :git => 'https://github.com/mysociety/ruby-msg.git', :branch => 'ascii-encoding'
-gem 'rubyzip', '~> 1.2.2'
+gem 'rubyzip', '~> 1.3.0', '< 2.0.0'
 gem 'secure_headers', '~> 3.6.0'
 gem 'statistics2', '~> 0.54'
 gem 'strip_attributes', :git => 'https://github.com/mysociety/strip_attributes.git', :ref => 'c1c14da'
diff --git a/Gemfile.lock b/Gemfile.lock
index b7489429126..d512606f6f9 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -358,7 +358,7 @@ GEM
       unicode-display_width (~> 1.4.0)
     ruby-ole (1.2.12.1)
     ruby-progressbar (1.10.0)
-    rubyzip (1.2.2)
+    rubyzip (1.3.0)
     safe_yaml (1.0.4)
     sass (3.4.25)
     sass-rails (5.0.7)
@@ -498,7 +498,7 @@ DEPENDENCIES
   rspec-rails (~> 3.7.2)
   rubocop (~> 0.63.1)
   ruby-msg (~> 1.5.0)!
-  rubyzip (~> 1.2.2)
+  rubyzip (~> 1.3.0, < 2.0.0)
   sass-rails (~> 5.0.7)
   secure_headers (~> 3.6.0)
   statistics2 (~> 0.54)
diff --git a/Gemfile.rails_next.lock b/Gemfile.rails_next.lock
index afe9615b3eb..45f4ca019e9 100644
--- a/Gemfile.rails_next.lock
+++ b/Gemfile.rails_next.lock
@@ -358,7 +358,7 @@ GEM
       unicode-display_width (~> 1.4.0)
     ruby-ole (1.2.12.1)
     ruby-progressbar (1.10.0)
-    rubyzip (1.2.2)
+    rubyzip (1.3.0)
     safe_yaml (1.0.4)
     sass (3.4.25)
     sass-rails (5.0.7)
@@ -498,7 +498,7 @@ DEPENDENCIES
   rspec-rails (~> 3.7.2)
   rubocop (~> 0.63.1)
   ruby-msg (~> 1.5.0)!
-  rubyzip (~> 1.2.2)
+  rubyzip (~> 1.3.0, < 2.0.0)
   sass-rails (~> 5.0.7)
   secure_headers (~> 3.6.0)
   statistics2 (~> 0.54)
diff --git a/config/initializers/rubyzip.rb b/config/initializers/rubyzip.rb
new file mode 100644
index 00000000000..d8c1ca4bdbe
--- /dev/null
+++ b/config/initializers/rubyzip.rb
@@ -0,0 +1,8 @@
+# -*- encoding : utf-8 -*-
+require 'zip'
+
+# Manually set `validate_entry_sizes`, which is the default in rubyzip 2.0.0.
+# rubyzip 2.0.0 requires Ruby 2.4+, so we can't upgrade to that yet.
+#
+# See: https://github.com/rubyzip/rubyzip/pull/403
+Zip.validate_entry_sizes = true