The runtime dependency commons-fileupload:commons-fileupload has been removed in order to prevent vulnerability CVE-2023-24998 . By removing the application property spring.servlet.multipart.enabled=true , the Studio server configuration has been changed from using Commons Fileupload for handling multipart requests to using the Servlet API .

To retain the defaults of the former Commons Fileupload implementation, the following default configurations for the Servlet API implementation have been changed:

spring.servlet.multipart.max-file-size=-1
spring.servlet.multipart.max-request-size=-1

Furthermore, the file size threshold has been set to prevent out-of-memory problems in the Studio server:

spring.servlet.multipart.file-size-threshold=100MB

For further information see the Spring documentation:

(CMS-22731)