Drupal Release: 10.3.12
Tag Name: 10.3.12
Release Date: 2/5/2025
DrupalHighly flexible, open-source content management system known for complex, scalable web applications. Preferred by government, educational, and large enterprise websites requiring advanced customization and security features. Robust module ecosystem.
TL;DR
Drupal 10.3.12 is a security and bug fix release addressing a critical Twig vulnerability (CVE-2025-24374) and resolving issues with language negotiation tests and breadcrumb building. This maintenance release focuses on security hardening and stability improvements without introducing new features.
Highlight of the Release
- Security update for Twig to address CVE-2025-24374
- Fixed random test failures in language negotiation tests
- Improved exception handling in PathBasedBreadcrumbBuilder
Migration Guide
No migration steps are required for this update. This is a standard security and bug fix release that can be applied using Drupal's normal update procedures:
- Back up your database and site files
- Put the site into maintenance mode
- Update Drupal core to version 10.3.12
- Run the database update script if prompted
- Take the site out of maintenance mode
No API changes or database schema modifications are included in this release.
Upgrade Recommendations
Immediate Upgrade Recommended
Due to the critical security vulnerability in Twig (CVE-2025-24374), an immediate upgrade is strongly recommended for all Drupal 10.3.x sites. This is a standard security release with minimal risk of regressions.
The update process should be straightforward with no special considerations beyond normal update procedures. As always, testing in a staging environment before applying to production is recommended.
Bug Fixes
Fixed Random Test Failures in Language Negotiation
Fixed an issue causing random test failures in LanguageNegotiationInfoTest::testInfoAlterations. This resolves inconsistencies in test execution that were affecting development workflows and CI pipelines.
Improved Exception Handling in PathBasedBreadcrumbBuilder
Enhanced the PathBasedBreadcrumbBuilder to properly catch potential exceptions when calling Request::create(). This prevents unexpected crashes when generating breadcrumbs under certain conditions.
New Features
No new features were introduced in this maintenance release. Drupal 10.3.12 focuses on security fixes and bug resolutions to maintain stability and security of the platform.
Security Updates
Critical: Twig Security Vulnerability (CVE-2025-24374)
Updated the Twig dependency to address CVE-2025-24374, a critical security vulnerability. This update prevents potential security exploits that could affect Drupal installations using the vulnerable Twig version.
This security fix is important for all Drupal 10.3.x installations and should be applied promptly.
Performance Improvements
No specific performance improvements were included in this release. The focus was on security and bug fixes rather than performance enhancements.
Impact Summary
Drupal 10.3.12 addresses a critical security vulnerability in the Twig templating engine (CVE-2025-24374) that could potentially expose Drupal sites to security risks. The release also fixes two bugs: random test failures in language negotiation tests and improves exception handling in the breadcrumb builder.
This is primarily a security-focused release that maintains compatibility with existing Drupal 10.3.x installations. No new features or API changes are introduced, making this a low-risk but high-priority update for security reasons.
Site administrators should plan to update their Drupal installations promptly to mitigate the security risk posed by the Twig vulnerability.
Statistics:
User Affected:
- Need to update their Drupal installations to address the critical Twig security vulnerability
- Should plan for a maintenance window to apply this security update
Contributors:
