Umbraco 13 is still in security phase as you say, but we’re in the process of disputing this CVE, or at least getting it marked as a duplicate. As it’s not a new one to us.
For background Umbraco has historically not shipped with anything that interrogates the contents of files uploaded to the media section. We take the view that we can’t really know the level of security a customer wants, and what would be appropriate for the types of file they work with to provide a “sensible default”. E.g. if uploading large video files, something that has to load the contents of the file to validate them could be a very heavy operation.
Rather we provide a hook such that customers can add this validation if they want to, and it’s appropriate for them.
The documentation for this feature can be found here: Server-side file validation | CMS | Umbraco Documentation
There was also a recent forum discussion on the topic, with other suggestions for protection if a customer requires it, that you can find here: Umbraco Forms, Upload File.. any core protections against common exploits? - #7 by JasonElkin