The runtime dependency commons-fileupload:commons-fileupload has been removed in order to prevent vulnerability CVE-2023-24998. By removing the application property spring.servlet.multipart.enabled=true, the Studio server configuration has been changed from using Commons Fileupload for handling multipart requests to using the Servlet API.

To retain the defaults of the former Commons Fileupload implementation, the following default configurations for the Servlet API implementation have been changed:

spring.servlet.multipart.max-file-size=-1
spring.servlet.multipart.max-request-size=-1

Furthermore, the file size threshold has been set to prevent out-of-memory problems in the Studio server:

spring.servlet.multipart.file-size-threshold=100MB

For further information see the Spring documentation:

(CMS-22731)