diff --git a/homeassistant/components/hassio/handler.py b/homeassistant/components/hassio/handler.py
index 653238709cdbeb21c9d89436115365532977e757..a0061647caa8366842aeb3d4aabb7565e66eaa54 100644
--- a/homeassistant/components/hassio/handler.py
+++ b/homeassistant/components/hassio/handler.py
@@ -330,6 +330,7 @@ class HassIO:
         self.loop = loop
         self.websession = websession
         self._ip = ip
+        self._base_url = URL(f"http://{ip}")
 
     @_api_bool
     def is_connected(self) -> Coroutine:
@@ -559,14 +560,20 @@ class HassIO:
         This method is a coroutine.
         """
         url = f"http://{self._ip}{command}"
-        if url != str(URL(url)):
+        joined_url = self._base_url.join(URL(command))
+        # This check is to make sure the normalized URL string
+        # is the same as the URL string that was passed in. If
+        # they are different, then the passed in command URL
+        # contained characters that were removed by the normalization
+        # such as ../../../../etc/passwd
+        if url != str(joined_url):
             _LOGGER.error("Invalid request %s", command)
             raise HassioAPIError()
 
         try:
             request = await self.websession.request(
                 method,
-                f"http://{self._ip}{command}",
+                joined_url,
                 json=payload,
                 headers={
                     aiohttp.hdrs.AUTHORIZATION: (