diff --git a/CHANGELOG.md b/CHANGELOG.md
index 335ce37d55f..97f86fea6eb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,10 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 ## [Unreleased]
 
+### Fixed
+
+- Limit the request body size at 1MB in `go.opentelemetry.io/contrib/zpages`. (#8656)
+
 <!-- Released section -->
 <!-- Don't change this section unless doing release -->
 
diff --git a/zpages/tracez.go b/zpages/tracez.go
index b0ca486d31a..4f210e53251 100644
--- a/zpages/tracez.go
+++ b/zpages/tracez.go
@@ -41,6 +41,8 @@ const (
 	spanLatencyBucketQueryField = "zlatencybucket"
 	// maxTraceMessageLength is the maximum length of a message in tracez output.
 	maxTraceMessageLength = 1024
+
+	maxRequestBodySize = 1 << 20 // 1MB
 )
 
 type summaryTableData struct {
@@ -79,6 +81,8 @@ func NewTracezHandler(sp *SpanProcessor) http.Handler {
 // ServeHTTP implements the http.Handler and is capable of serving "tracez" HTTP requests.
 func (th *tracezHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestBodySize)
 	if err := r.ParseForm(); err != nil {
 		w.WriteHeader(http.StatusBadRequest)
 		return