The POST request data larger than 16KiB in multipart/form-data request becomes unavailable through Servlet getParameter API after JBoss EAP 7.4.12, which includes UNDERTOW-2271 fix for CVE-2023-3223. (The POST data is still available through getPart API, but it's not through getParameter API.)

—

Note that the servlet spec (pdf) states the following:

3.2. File Upload

...(snip)...

If the servlet container provides multipart/form-data processing, the data is made available through the following methods in HttpServletRequest:

• public Collection<Part> getParts()
• public Part getPart(String name)

Each part provides access to the headers, content type related with it and the content via the Part.getInputStream method.

For parts with form-data as the Content-Disposition, but without a filename, the string value of the part will also be available through the getParameter and getParameterValues methods on HttpServletRequest, using the name of the part.

and the same statement exists in the latest Servlet 6.0 spec.

So, using getParameter API to obtain the posted form data (not file upload but just posted text data) in the multipart request is a valid usage and use case.

—

After EAP 7.4.12 with UNDERTOW-2271, it changed the behavior of handling multipart form-data larger than 16KiB to persist it to the disk. It causes the POST form-data is treated as same as the Content-Disposition having a filename inside Undertow, so it's not available anymore through HttpServletRequest getParmeter(), getParmeterValues(), getParmeterNames(), and getParmeterMap() because it's checked with getFileItem() and returns null if the FormData is created with the persisted file.

This issue can be mitigated by setting the "io.undertow.multipart.minsize" system property to a large enough value (e.g. -Dio.undertow.multipart.minsize=10485760).