diff --git a/src/line/webhook-node.test.ts b/src/line/webhook-node.test.ts
index c3840ec92df..0414f63d243 100644
--- a/src/line/webhook-node.test.ts
+++ b/src/line/webhook-node.test.ts
@@ -104,6 +104,28 @@ describe("createLineNodeWebhookHandler", () => {
     expect(bot.handleWebhook).not.toHaveBeenCalled();
   });
 
+  it("uses a tight body-read limit for unsigned POST requests", async () => {
+    const bot = { handleWebhook: vi.fn(async () => {}) };
+    const runtime = { log: vi.fn(), error: vi.fn(), exit: vi.fn() };
+    const readBody = vi.fn(async (_req: IncomingMessage, maxBytes: number) => {
+      expect(maxBytes).toBe(4096);
+      return JSON.stringify({ events: [{ type: "message" }] });
+    });
+    const handler = createLineNodeWebhookHandler({
+      channelSecret: "secret",
+      bot,
+      runtime,
+      readBody,
+    });
+
+    const { res } = createRes();
+    await handler({ method: "POST", headers: {} } as unknown as IncomingMessage, res);
+
+    expect(res.statusCode).toBe(400);
+    expect(readBody).toHaveBeenCalledTimes(1);
+    expect(bot.handleWebhook).not.toHaveBeenCalled();
+  });
+
   it("rejects invalid signature", async () => {
     const rawBody = JSON.stringify({ events: [{ type: "message" }] });
     const { bot, handler } = createPostWebhookTestHarness(rawBody);
diff --git a/src/line/webhook-node.ts b/src/line/webhook-node.ts
index 493f00e186b..da914c90a06 100644
--- a/src/line/webhook-node.ts
+++ b/src/line/webhook-node.ts
@@ -11,6 +11,7 @@ import { validateLineSignature } from "./signature.js";
 import { isLineWebhookVerificationRequest, parseLineWebhookBody } from "./webhook-utils.js";
 
 const LINE_WEBHOOK_MAX_BODY_BYTES = 1024 * 1024;
+const LINE_WEBHOOK_UNSIGNED_MAX_BODY_BYTES = 4 * 1024;
 const LINE_WEBHOOK_BODY_TIMEOUT_MS = 30_000;
 
 export async function readLineWebhookRequestBody(
@@ -54,8 +55,18 @@ export function createLineNodeWebhookHandler(params: {
     }
 
     try {
-      const rawBody = await readBody(req, maxBodyBytes);
-      const signature = req.headers["x-line-signature"];
+      const signatureHeader = req.headers["x-line-signature"];
+      const signature =
+        typeof signatureHeader === "string"
+          ? signatureHeader
+          : Array.isArray(signatureHeader)
+            ? signatureHeader[0]
+            : undefined;
+      const hasSignature = typeof signature === "string" && signature.trim().length > 0;
+      const bodyLimit = hasSignature
+        ? maxBodyBytes
+        : Math.min(maxBodyBytes, LINE_WEBHOOK_UNSIGNED_MAX_BODY_BYTES);
+      const rawBody = await readBody(req, bodyLimit);
 
       // Parse once; we may need it for verification requests and for event processing.
       const body = parseLineWebhookBody(rawBody);
@@ -63,7 +74,7 @@ export function createLineNodeWebhookHandler(params: {
       // LINE webhook verification sends POST {"events":[]} without a
       // signature header. Return 200 so the LINE Developers Console
       // "Verify" button succeeds.
-      if (!signature || typeof signature !== "string") {
+      if (!hasSignature) {
         if (isLineWebhookVerificationRequest(body)) {
           logVerbose("line: webhook verification request (empty events, no signature) - 200 OK");
           res.statusCode = 200;