File uploads in FastAPI look deceptively simple — a few lines of code and you’re done. Then you hit a wall: a mysterious 422, a crash with no traceback, or uploads that silently eat your server’s memory. This guide covers the most common FastAPI file upload errors and exactly how to fix each one.
Quick Answer: Most FastAPI file upload errors fall into one of these buckets:
python-multipartisn’t installed (causes silent 422)- You’re mixing JSON body + form/file fields (not allowed in HTTP)
- No file size validation (memory exhaustion on large uploads)
- Reading the entire file into memory instead of streaming it
- Wrong content-type header from the client
Cause #1: Missing python-multipart Dependency
This is the single most common FastAPI file upload bug and the cruelest one. You write perfectly correct code, send a file, and get back a 422 Unprocessable Entity with no mention of the real problem.
The error response you’ll see:
{
"detail": [
{
"loc": ["body", "file"],
"msg": "field required",
"type": "value_error.missing"
}
]
}
Looks like a validation problem, right? It’s not. FastAPI uses python-multipart under the hood to parse multipart/form-data requests. If that package isn’t installed, FastAPI can’t parse the request at all — so every field looks “missing.”
The fix:
pip install python-multipart
That’s it. Add it to your requirements.txt or pyproject.toml too, otherwise the next deploy will break again:
# requirements.txt
fastapi>=0.100.0
uvicorn[standard]>=0.22.0
python-multipart>=0.0.6 # Required for file/form uploads
Why this happens: FastAPI intentionally doesn’t bundle python-multipart as a hard dependency. Not every FastAPI app needs file uploads, and keeping the core lightweight is the right call. But the error message doesn’t tell you this, which is why it trips up so many developers.
Cause #2: Mixing JSON Body with File Fields
HTTP multipart requests and JSON bodies are fundamentally different content types. You can’t send a JSON body (application/json) and file fields (multipart/form-data) in the same request. FastAPI will reject it with a 422 or simply ignore one of them.
This doesn’t work:
# ❌ Wrong — you can't combine File() with a JSON body model
from fastapi import FastAPI, File, UploadFile
from pydantic import BaseModel
class Metadata(BaseModel):
title: str
description: str
app = FastAPI()
@app.post("/upload/")
async def upload(metadata: Metadata, file: UploadFile = File(...)):
# This will fail — FastAPI can't parse both at once
pass
The fix — use Form fields instead of a Pydantic model:
# ✅ Correct — use Form() fields alongside File()
from fastapi import FastAPI, File, Form, UploadFile
app = FastAPI()
@app.post("/upload/")
async def upload(
title: str = Form(...),
description: str = Form(...),
file: UploadFile = File(...),
):
content = await file.read()
return {
"title": title,
"description": description,
"filename": file.filename,
"size": len(content),
}
Alternative — send metadata as a JSON string in a form field:
# ✅ Also works — serialize metadata to JSON string, parse it manually
import json
from fastapi import FastAPI, File, Form, UploadFile
app = FastAPI()
@app.post("/upload/")
async def upload(
metadata: str = Form(...), # JSON string
file: UploadFile = File(...),
):
meta = json.loads(metadata)
content = await file.read()
return {"filename": file.filename, "title": meta.get("title")}
The client sends metadata as a stringified JSON value inside the multipart form. It’s a bit awkward but works when you need structured data alongside files.
Cause #3: No File Size Validation
FastAPI has no built-in maximum file size. Send a 2 GB file to a route with await file.read() and you’ll read 2 GB into memory. On a server with 512 MB RAM, that’s an OOM crash.
The dangerous pattern:
# ❌ No size check — will exhaust memory on large uploads
@app.post("/upload/")
async def upload(file: UploadFile = File(...)):
content = await file.read() # Reads everything into memory
process(content)
return {"size": len(content)}
Fix #1 — Check size after reading (acceptable for small files):
# ✅ OK for files you expect to be small (under a few MB)
from fastapi import FastAPI, File, HTTPException, UploadFile
MAX_UPLOAD_SIZE = 5 * 1024 * 1024 # 5 MB
app = FastAPI()
@app.post("/upload/")
async def upload(file: UploadFile = File(...)):
content = await file.read()
if len(content) > MAX_UPLOAD_SIZE:
raise HTTPException(
status_code=413,
detail=f"File too large. Maximum size is {MAX_UPLOAD_SIZE // (1024*1024)} MB.",
)
return {"filename": file.filename, "size": len(content)}
Fix #2 — Stream and enforce limit without loading everything into memory:
# ✅ Best for production — streams in chunks, rejects early
import io
from fastapi import FastAPI, File, HTTPException, UploadFile
MAX_UPLOAD_SIZE = 10 * 1024 * 1024 # 10 MB
CHUNK_SIZE = 1024 * 64 # 64 KB chunks
app = FastAPI()
@app.post("/upload/")
async def upload(file: UploadFile = File(...)):
buffer = io.BytesIO()
total_size = 0
while chunk := await file.read(CHUNK_SIZE):
total_size += len(chunk)
if total_size > MAX_UPLOAD_SIZE:
raise HTTPException(
status_code=413,
detail="File exceeds maximum allowed size.",
)
buffer.write(chunk)
buffer.seek(0)
# Now process buffer.read() or pass buffer to your storage layer
return {"filename": file.filename, "size": total_size}
This approach rejects oversized files mid-stream without ever holding the whole thing in memory. For production workloads handling user-uploaded files, this is the pattern you want.
Cause #4: Blocking File I/O in Async Routes
FastAPI is built on async, but file operations in Python are synchronous by default. If you’re saving uploads to disk inside an async def route using the standard open() call, you’re blocking the entire event loop for every upload. Under load, this tanks throughput.
The blocking pattern:
# ❌ Blocks the event loop during file write
@app.post("/upload/")
async def upload(file: UploadFile = File(...)):
content = await file.read()
with open(f"/uploads/{file.filename}", "wb") as f:
f.write(content) # Synchronous — blocks event loop
return {"saved": file.filename}
Fix — use aiofiles for async disk writes:
pip install aiofiles
# ✅ Non-blocking file write with aiofiles
import aiofiles
from fastapi import FastAPI, File, UploadFile
app = FastAPI()
@app.post("/upload/")
async def upload(file: UploadFile = File(...)):
save_path = f"/uploads/{file.filename}"
async with aiofiles.open(save_path, "wb") as out_file:
while chunk := await file.read(65536):
await out_file.write(chunk)
return {"saved": file.filename}
Alternative — run sync I/O in a thread pool:
# ✅ Use run_in_executor for sync code you can't easily replace
import asyncio
from fastapi import FastAPI, File, UploadFile
app = FastAPI()
def save_to_disk(path: str, content: bytes):
with open(path, "wb") as f:
f.write(content)
@app.post("/upload/")
async def upload(file: UploadFile = File(...)):
content = await file.read()
loop = asyncio.get_event_loop()
await loop.run_in_executor(None, save_to_disk, f"/uploads/{file.filename}", content)
return {"saved": file.filename}
Which to choose? If you’re doing a lot of file I/O, aiofiles is cleaner. The run_in_executor approach is useful when you need to call a third-party library that isn’t async-aware.
Cause #5: Multiple File Uploads Not Working
Handling multiple files trips developers up because the syntax is slightly different from single-file uploads.
The wrong approach:
# ❌ This only accepts a single file, not a list
@app.post("/upload-many/")
async def upload_many(files: UploadFile = File(...)):
pass
The correct approach with List:
# ✅ Use List[UploadFile] for multiple files
from typing import List
from fastapi import FastAPI, File, UploadFile
app = FastAPI()
@app.post("/upload-many/")
async def upload_many(files: List[UploadFile] = File(...)):
results = []
for file in files:
content = await file.read()
results.append({
"filename": file.filename,
"content_type": file.content_type,
"size": len(content),
})
return {"uploaded": results}
The client sends the request with multiple fields sharing the same name (e.g., files repeated), and FastAPI collects them into the list automatically.
Cause #6: Wrong Content-Type Handling
FastAPI’s UploadFile doesn’t validate content_type — it just reads whatever the client sends. That means a user can upload a .exe with content_type: image/jpeg and your code won’t know. If you’re relying on file.content_type for security decisions, you’re doing it wrong.
Don’t trust content_type alone:
# ❌ Insecure — content_type is client-supplied and unverified
@app.post("/upload-image/")
async def upload_image(file: UploadFile = File(...)):
if file.content_type not in ("image/jpeg", "image/png"):
raise HTTPException(400, "Only JPEG and PNG allowed")
# This check can be bypassed by any client
Validate by reading the file header (magic bytes):
# ✅ Validate actual file content using magic bytes
from fastapi import FastAPI, File, HTTPException, UploadFile
ALLOWED_SIGNATURES = {
b"\xff\xd8\xff": "image/jpeg",
b"\x89PNG": "image/png",
b"GIF8": "image/gif",
}
app = FastAPI()
@app.post("/upload-image/")
async def upload_image(file: UploadFile = File(...)):
header = await file.read(8)
await file.seek(0) # Reset so we can read the full file later
detected = None
for signature, mime in ALLOWED_SIGNATURES.items():
if header.startswith(signature):
detected = mime
break
if not detected:
raise HTTPException(
status_code=400,
detail="File does not appear to be a valid image.",
)
content = await file.read()
return {"filename": file.filename, "detected_type": detected, "size": len(content)}
The python-magic library is another solid option for more comprehensive MIME detection:
pip install python-magic
import magic
content = await file.read()
mime = magic.from_buffer(content, mime=True)
if mime not in ("image/jpeg", "image/png"):
raise HTTPException(400, "Unsupported file type")
Still Not Working?
A few less-common issues worth checking:
Uvicorn request body size limit: Uvicorn itself doesn’t impose a body size limit by default, but reverse proxies like Nginx do. If uploads fail at a specific size (often 1 MB), check your Nginx client_max_body_size directive:
# nginx.conf
client_max_body_size 50M;
Filename encoding: file.filename is whatever the client sends, and it can contain path separators (../../etc/passwd). Always sanitize before using it in a file path:
import os
from pathlib import Path
safe_name = Path(file.filename).name # Strips directory traversal
save_path = f"/uploads/{safe_name}"
UploadFile exhausted after first read: UploadFile is a stream. Once you call await file.read(), the cursor is at the end. Calling it again returns empty bytes. Use await file.seek(0) to reset, or store the content in a variable and reuse that.
content = await file.read()
# Later... don't call file.read() again
# Instead:
await file.seek(0)
content_again = await file.read()
Summary Checklist
Before deploying file upload endpoints, run through this list:
- [ ]
python-multipartis in your dependencies - [ ] File fields use
Form()notBody()alongside other form data - [ ] File size is validated before or during reading
- [ ] Large files are streamed in chunks, not read all at once
- [ ] Disk writes use
aiofilesorrun_in_executor - [ ]
content_typeis validated against actual file headers, not just client-supplied value - [ ] Filenames are sanitized before use in file paths
- [ ] Nginx or other proxy
client_max_body_sizeis configured appropriately
For more on async pitfalls in FastAPI, check out our guides on FastAPI async/sync blocking errors and FastAPI background task failures. Both cover the event loop behavior that makes streaming uploads tick.
Use Debugly’s trace formatter to quickly parse and analyze Python tracebacks from failed file upload handlers — paste your stack trace and get a clean, annotated breakdown of exactly where the failure occurred.