diff --git a/go.sum b/go.sum
index 59c7470..14917eb 100644
--- a/go.sum
+++ b/go.sum
@@ -497,8 +497,6 @@ github.com/mattn/go-tty v0.0.0-20180219170247-931426f7535a/go.mod h1:XPvLUNfbS4f
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/micro/micro-go v0.0.0-20211101221015-79ab982f8163 h1:kNngAyoUre7ahqYWjlBVpT4GGDYM7r9BYUzpcOveaPs=
 github.com/micro/micro-go v0.0.0-20211101221015-79ab982f8163/go.mod h1:o4fTExNn5LlnQRB/WiW3RChsohPwQTJ1AKdNCz2YEYA=
-github.com/micro/micro/v3 v3.6.1-0.20211109113157-0b9ea62abb19 h1:gMbXjyo+Z3Vqnkjfv2wk4LI8CbmE79NmKSnF2KwzZ14=
-github.com/micro/micro/v3 v3.6.1-0.20211109113157-0b9ea62abb19/go.mod h1:NqYnFOGrnc0Apk912w49oX9qIk1YDJcCaO+y+CLaAXA=
 github.com/micro/micro/v3 v3.6.1-0.20211110104311-614fde05be0c h1:9+w31dXDHVUD11x1St5LiXiBQLNSUxgeH9GI9+sKv0M=
 github.com/micro/micro/v3 v3.6.1-0.20211110104311-614fde05be0c/go.mod h1:NqYnFOGrnc0Apk912w49oX9qIk1YDJcCaO+y+CLaAXA=
 github.com/miekg/dns v1.1.15/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
diff --git a/image/handler/image.go b/image/handler/image.go
index f94c9a3..4147ad4 100644
--- a/image/handler/image.go
+++ b/image/handler/image.go
@@ -50,18 +50,17 @@ func (e *Image) Upload(ctx context.Context, req *img.UploadRequest, rsp *img.Upl
 	if !ok {
 		return merrors.Unauthorized("image.Upload", "Not authorized")
 	}
-	var imageBytes *bytes.Buffer
+	var imageBytes []byte
 	var err error
 
 	if len(req.File) > 0 {
-		imageBytes = bytes.NewBuffer(req.File)
-
+		imageBytes = req.File
 	} else if len(req.Base64) > 0 {
 		b, _, err := base64ToImage(req.Base64)
 		if err != nil {
 			return err
 		}
-		imageBytes = bytes.NewBuffer(b)
+		imageBytes = b
 	} else if len(req.Url) > 0 {
 		_, err := url.Parse(req.Url)
 		if err != nil {
@@ -76,12 +75,21 @@ func (e *Image) Upload(ctx context.Context, req *img.UploadRequest, rsp *img.Upl
 		if err != nil {
 			return err
 		}
-		imageBytes = bytes.NewBuffer(b)
+		imageBytes = b
 	} else {
 		return merrors.BadRequest("image.Upload", "file, base64 or url param is required")
 	}
 
-	err = store.DefaultBlobStore.Write(fmt.Sprintf("%v/%v/%v", pathPrefix, tenantID, req.Name), imageBytes, store.BlobPublic(true))
+	// validate that this is indeed an image file
+	_, _, err = image.Decode(bytes.NewReader(imageBytes))
+	if err != nil {
+		if err == image.ErrFormat {
+			return merrors.BadRequest("image.Upload", "Unrecognised image format")
+		}
+		return merrors.InternalServerError("image.Upload", "Error processing upload")
+	}
+
+	err = store.DefaultBlobStore.Write(fmt.Sprintf("%v/%v/%v", pathPrefix, tenantID, req.Name), bytes.NewReader(imageBytes), store.BlobPublic(true))
 	if err != nil {
 		return err
 	}