diff --git a/packages/backend/src/api/APIError.js b/packages/backend/src/api/APIError.js
index fee79b9a86..738f3b5a7d 100644
--- a/packages/backend/src/api/APIError.js
+++ b/packages/backend/src/api/APIError.js
@@ -220,6 +220,10 @@ module.exports = class APIError {
             status: 400,
             message: 'Missing fileinfo entry or BLOB for operation.',
         },
+        'invalid_file_metadata': {
+            status: 400,
+            message: 'Invalid file metadata.',
+        },
 
         // Open
         'no_suitable_app': {
diff --git a/packages/backend/src/routers/filesystem_api/batch/all.js b/packages/backend/src/routers/filesystem_api/batch/all.js
index f09b6d45f1..7438334d8b 100644
--- a/packages/backend/src/routers/filesystem_api/batch/all.js
+++ b/packages/backend/src/routers/filesystem_api/batch/all.js
@@ -192,7 +192,11 @@ module.exports = eggspress('/batch', {
             }
 
             if ( fieldname === 'fileinfo' ) {
-                fileinfos.push(JSON.parse(value));
+                const fileinfo = JSON.parse(value);
+                if ( fileinfo.size < 0 ) {
+                    throw APIError.create('invalid_file_metadata');
+                }
+                fileinfos.push(fileinfo);
                 return;
             }