diff --git a/src/weather.cpp b/src/weather.cpp
index 006b51b..22f1d7d 100644
--- a/src/weather.cpp
+++ b/src/weather.cpp
@@ -26,9 +26,18 @@ std::string urlEncode(const std::string& value) {
     return escaped.str();
 }
 
+constexpr size_t MAX_RESPONSE_BYTES = 512 * 1024;  // 512 KB; weatherapi.com responses are ~10 KB
+
 size_t writeCallback(void* contents, size_t size, size_t nmemb, void* userp) {
-    static_cast<std::string*>(userp)->append(static_cast<char*>(contents), size * nmemb);
-    return size * nmemb;
+    auto* buf = static_cast<std::string*>(userp);
+    size_t incoming = size * nmemb;
+    if (buf->size() + incoming > MAX_RESPONSE_BYTES) {
+        LOG_ERROR("Weather API response exceeds " << (MAX_RESPONSE_BYTES / 1024)
+                  << " KB — aborting fetch");
+        return 0;  // signals libcurl to abort with CURLE_WRITE_ERROR
+    }
+    buf->append(static_cast<char*>(contents), incoming);
+    return incoming;
 }
 
 // Helper: safely extract a string from a JSON value, returning fallback on missing/null.