diff --git a/Assets/Mirror/Runtime/Transport/Telepathy/Telepathy.dll b/Assets/Mirror/Runtime/Transport/Telepathy/Telepathy.dll
index 085766ec8..b2448afd7 100644
Binary files a/Assets/Mirror/Runtime/Transport/Telepathy/Telepathy.dll and b/Assets/Mirror/Runtime/Transport/Telepathy/Telepathy.dll differ
diff --git a/Assets/Mirror/Runtime/Transport/TelepathyTransport.cs b/Assets/Mirror/Runtime/Transport/TelepathyTransport.cs
index a945430bd..bab3b7152 100644
--- a/Assets/Mirror/Runtime/Transport/TelepathyTransport.cs
+++ b/Assets/Mirror/Runtime/Transport/TelepathyTransport.cs
@@ -10,6 +10,9 @@ public class TelepathyTransport : Transport
         [Tooltip("Nagle Algorithm can be disabled by enabling NoDelay")]
         public bool NoDelay = true;
 
+        [Tooltip("Protect against allocation attacks by keeping the max message size small. Otherwise an attacker might send multiple fake packets with 2GB headers, causing the server to run out of memory after allocating multiple large packets.")]
+        public int MaxMessageSize = 16 * 1024;
+
         protected Telepathy.Client client = new Telepathy.Client();
         protected Telepathy.Server server = new Telepathy.Server();
 
@@ -22,7 +25,9 @@ void Awake()
 
             // configure
             client.NoDelay = NoDelay;
+            client.MaxMessageSize = MaxMessageSize;
             server.NoDelay = NoDelay;
+            server.MaxMessageSize = MaxMessageSize;
 
             // HLAPI's local connection uses hard coded connectionId '0', so we
             // need to make sure that external connections always start at '1'