diff --git a/lib/utils.js b/lib/utils.js
index 232e2e25..22f9ae73 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -63,6 +63,11 @@ function normalizeOptions (options, defaultType) {
   var limit = typeof options?.limit === 'undefined' || options?.limit === null
     ? 102400 // 100kb default
     : bytes.parse(options.limit)
+
+  if (limit !== null && limit < 0) {
+    throw new TypeError('option limit must be a non-negative number')
+  }
+
   var type = options?.type || defaultType
   var verify = options?.verify || false
   var defaultCharset = options?.defaultCharset || 'utf-8'
diff --git a/test/utils.js b/test/utils.js
index 62b9b1e6..b016614e 100644
--- a/test/utils.js
+++ b/test/utils.js
@@ -130,6 +130,28 @@ describe('normalizeOptions(options, defaultType)', () => {
           normalizeOptions({ limit: { foo: 'bar' } }, 'application/json')
         }, /option limit "\[object Object\]" is invalid/)
       })
+
+      it('should throw an error for negative string limit', () => {
+        assert.throws(() => {
+          normalizeOptions({ limit: '-100kb' }, 'application/json')
+        }, /option limit must be a non-negative number/)
+      })
+
+      it('should throw an error for negative number limit', () => {
+        assert.throws(() => {
+          normalizeOptions({ limit: -1024 }, 'application/json')
+        }, /option limit must be a non-negative number/)
+      })
+
+      it('should accept zero limit', () => {
+        const result = normalizeOptions({ limit: 0 }, 'application/json')
+        assert.strictEqual(result.limit, 0)
+      })
+
+      it('should accept zero string limit', () => {
+        const result = normalizeOptions({ limit: '0kb' }, 'application/json')
+        assert.strictEqual(result.limit, 0)
+      })
     })
 
     describe('type', () => {