diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 31d85e42..53e3c1a6 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -276,6 +276,9 @@ services:
       # SSR fetches go inside the docker network; clients hit https://${APP_DOMAIN}
       API_INTERNAL_URL: http://backend:8080
       ORIGIN: https://${APP_DOMAIN}
+      # Enforce upload size limit in the adapter-node layer (fixes GHSA-2crg-3p73-43xp bypass).
+      # Must be ≤ client_max_body_size in the Caddy reverse proxy to avoid 413 mismatches.
+      BODY_SIZE_LIMIT: 50M
     networks:
       - archiv-net
     healthcheck:
diff --git a/docker-compose.yml b/docker-compose.yml
index 842f94e1..7bc27dbe 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -228,6 +228,9 @@ services:
       API_INTERNAL_URL: http://backend:8080
       # Vite dev proxy forwards /api from browser to the backend container
       API_PROXY_TARGET: http://backend:8080
+      # Upload size limit for adapter-node (production target). Not enforced by Vite dev server
+      # but kept here to match docker-compose.prod.yml and prevent config drift.
+      BODY_SIZE_LIMIT: 50M
     ports:
       - "${PORT_FRONTEND}:5173"
     networks: