An unpatched wordpress security issue was made public.

There exists a patch we could do on our own theme's functions.php file (aka, without touching wordpress).

add_filter( 'wp_update_attachment_metadata', 'rips_unlink_tempfix' );

function rips_unlink_tempfix( $data ) {
    if( isset($data['thumb']) ) {
        $data['thumb'] = basename($data['thumb']);
    }

    return $data;
}

We need to test that to see that it does not break something with our wp-stateless or with anything else in our site.

If stateless is not broken (images uploading, images thumbnails getting created etc), then we can deploy it via our own master-theme