GHSA-c7v7-rqfm-f44j: Vaadin Platform possible file bypass via upload validation on the server-side

The vulnerability exists in the com.vaadin.flow.component.upload.Upload class and is related to improper state management of the interrupted flag in a multi-threaded, multi-file upload scenario. The core of the issue is a race condition. When interruptUpload() is called, it sets interrupted = true. However, because the interrupted variable was not declared as volatile, changes made by one thread (the one calling interruptUpload) might not be immediately visible to other threads (the ones handling the file uploads). Furthermore, the endUpload() method, which is called after each file upload completes, unconditionally reset interrupted to false. In a multi-upload scenario, this means that if one upload is interrupted, the interrupted flag is reset right after that specific upload is terminated, allowing subsequent files in the same batch to be uploaded without being subject to the interruption, effectively bypassing the intended validation. The fix involves making the interrupted flag volatile to ensure its state is consistent across all threads and modifying endUpload() to only reset the interrupted flag after all uploads have completed. Therefore, any user of the Vaadin Upload component relying on the interruptUpload functionality for validation was vulnerable.