diff --git a/app/Controller/AvatarFileController.php b/app/Controller/AvatarFileController.php
index ed8a10288..81a324fbd 100644
--- a/app/Controller/AvatarFileController.php
+++ b/app/Controller/AvatarFileController.php
@@ -59,6 +59,12 @@ class AvatarFileController extends BaseController
     {
         $user_id = $this->request->getIntegerParam('user_id');
         $size = $this->request->getStringParam('size', 48);
+
+        if ($size > 100) {
+            $this->response->status(400);
+            return;
+        }
+
         $filename = $this->avatarFileModel->getFilename($user_id);
         $etag = md5($filename.$size);