From 9571f7b98e3d6b8efaca4a567c6a9794f609a704 Mon Sep 17 00:00:00 2001
From: orbisai0security <mediratta01.pally@gmail.com>
Date: Wed, 6 May 2026 09:39:49 +0000
Subject: [PATCH] fix: V-007 security vulnerability

Automated security fix generated by Orbis Security AI
---
 packages/payload/src/utilities/handleEndpoints.ts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/packages/payload/src/utilities/handleEndpoints.ts b/packages/payload/src/utilities/handleEndpoints.ts
index b69f10d5f53..e3ce1e5b15b 100644
--- a/packages/payload/src/utilities/handleEndpoints.ts
+++ b/packages/payload/src/utilities/handleEndpoints.ts
@@ -95,6 +95,14 @@ export const handleEndpoints = async ({
       url = `${request.url}?${search}`
     } else if (request.headers.get('Content-Type') === 'application/json') {
       // May not be supported by every endpoint
+      // Enforce request body size limit to prevent resource exhaustion
+      const contentLength = request.headers.get('content-length')
+      if (contentLength && parseInt(contentLength, 10) > 10 * 1024 * 1024) {
+        return new Response(JSON.stringify({ message: 'Request entity too large' }), {
+          headers: { 'Content-Type': 'application/json' },
+          status: 413,
+        })
+      }
       data = await request.json()
 
       // locale and fallbackLocale is read by createPayloadRequest to populate req.locale and req.fallbackLocale