diff --git a/sftpd/handler.go b/sftpd/handler.go
index a6bcb5c4..d352e641 100644
--- a/sftpd/handler.go
+++ b/sftpd/handler.go
@@ -261,6 +261,11 @@ func (c Connection) handleSFTPSetstat(path string, request *sftp.Request) error
 	if setstatMode == 1 {
 		return nil
 	}
+	if len(request.Attrs) < 1 {
+		c.Log(logger.LevelInfo, logSender, "cannot handle Setstat request with no attrs, this is probably a buggy client: %v",
+			c.ClientVersion)
+		return sftp.ErrSSHFxBadMessage
+	}
 	attrFlags := request.AttrFlags()
 	if attrFlags.Permissions {
 		if !c.User.HasPerm(dataprovider.PermChmod) {
diff --git a/sftpd/internal_test.go b/sftpd/internal_test.go
index 5fc75795..5cb4292c 100644
--- a/sftpd/internal_test.go
+++ b/sftpd/internal_test.go
@@ -227,6 +227,12 @@ func TestSetstatModeIgnore(t *testing.T) {
 	if err != nil {
 		t.Errorf("unexpected error: %v setstat should be silently ignore in mode 1", err)
 	}
+	setstatMode = 0
+	req := sftp.NewRequest("Setstat", "invalid")
+	err = connection.handleSFTPSetstat("invalid", req)
+	if err != sftp.ErrSSHFxBadMessage {
+		t.Errorf("unexpected error: %v", err)
+	}
 	setstatMode = originalMode
 }