We have added the option route.option.payload.maxParts, in order to mitigate a DoS vector caused by an unbounded number of parts permitted in multipart payloads. The value of maxParts controls the maximum number of parts permitted in multipart payloads. The latest version of subtext also makes efforts to clean-up any files written during payload processing in the case of a payload processing error. The breaking change here is that the default value for maxParts is 1000, whereas before it was effectively unbounded.

This has been released in 21.3.0 and backported to 20.3.0.

Credit to @das7pad for the thorough report and disclosure.