diff --git a/consensus/XDPoS/utils/utils.go b/consensus/XDPoS/utils/utils.go
index b7e80874b3..f620e0dae1 100644
--- a/consensus/XDPoS/utils/utils.go
+++ b/consensus/XDPoS/utils/utils.go
@@ -81,6 +81,11 @@ func DecodeBytesExtraFields(b []byte, val interface{}) error {
 	if len(b) == 0 {
 		return errors.New("extra field is 0 length")
 	}
+	// Prevent payload attack, limit the size of extra field to 20k bytes. Normal Extrafield payload is less than 7k bytes.
+	if len(b) > 20000 {
+		return errors.New("extra field is too long")
+	}
+
 	switch b[0] {
 	case 2:
 		return rlp.DecodeBytes(b[1:], val)