HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

Drupal

>

Releases

>

10.3.13

Drupal Release: 10.3.13

Tag Name: 10.3.13

Release Date: 2/18/2025

View Release
Drupal LogoDrupal

Highly flexible, open-source content management system known for complex, scalable web applications. Preferred by government, educational, and large enterprise websites requiring advanced customization and security features. Robust module ecosystem.

Open SourceDeveloper-FriendlyEnterprise

TL;DR

Drupal 10.3.13: Critical Security Update

This release addresses three critical security vulnerabilities (SA-CORE-2025-001, SA-CORE-2025-002, SA-CORE-2025-003) that could potentially compromise your Drupal site. Additionally, it fixes an issue with the Update manager routes not being properly disabled when allow_authorize_operations is set to FALSE. This is a security-focused maintenance release that all Drupal 10.3.x users should apply immediately to protect their sites.

Highlight of the Release

    • Three critical security vulnerabilities addressed (SA-CORE-2025-001, SA-CORE-2025-002, SA-CORE-2025-003)
    • Fixed issue with Update manager routes not being properly disabled when allow_authorize_operations is set to FALSE
    • Collaborative security fixes from multiple contributors across the Drupal security team

Migration Guide

No migration steps are required for this security update. This is a direct update that addresses security vulnerabilities and fixes a specific issue with the Update manager routes.

To update to Drupal 10.3.13:

  1. Back up your database and site files
  2. Put your site into maintenance mode
  3. Update Drupal core using your preferred method (Composer, Drush, or manual update)
  4. Run database updates
  5. Clear caches
  6. Take your site out of maintenance mode
  7. Test your site functionality

Upgrade Recommendations

Immediate Update Strongly Recommended

Due to the critical security vulnerabilities addressed in this release, immediate update is strongly recommended for all sites running Drupal 10.3.x.

  • Priority: Critical
  • Risk: High for unpatched sites
  • Effort: Low (standard update process)

This is a security-focused maintenance release that does not introduce new features or breaking changes, making it a straightforward update with minimal risk of regressions.

Bug Fixes

Update Manager Routes Fix

Fixed an issue where Update manager routes were not being properly disabled when the allow_authorize_operations setting was set to FALSE. This bug (Issue #3502835) could potentially allow access to routes that should be restricted based on the site's configuration settings.

The fix ensures that when administrators explicitly disable authorize operations through the allow_authorize_operations setting, all related Update manager routes are properly disabled as expected.

New Features

No new features were introduced in this release. Drupal 10.3.13 is a security-focused maintenance release that addresses critical vulnerabilities and fixes a specific issue with the Update manager routes.

Security Updates

Critical Security Vulnerabilities Addressed

This release includes fixes for three security advisories:

  1. SA-CORE-2025-001: Security vulnerability addressed by multiple contributors including larsdesigns, bdanin, nuwans, dgroene, arkepp, juanramonperez, svendecabooter, wgunn_e, mcdruid, and catch.

  2. SA-CORE-2025-002: Security vulnerability addressed by jeff cardwell, benjifisher, poker10, and mingsong.

  3. SA-CORE-2025-003: Security vulnerability addressed by shin24, anzuukino, mcdruid, nicxvan, ghost of drupal past, and longwave.

Note: Detailed information about these security vulnerabilities is intentionally limited in release notes to prevent exploitation of unpatched systems. For complete details, please refer to the official Drupal Security Advisories.

Performance Improvements

No specific performance improvements were included in this release. Drupal 10.3.13 focuses primarily on security fixes and addressing the Update manager routes issue.

Impact Summary

Drupal 10.3.13 is a critical security release that addresses three security vulnerabilities that could potentially compromise Drupal sites. While the specific details of these vulnerabilities are intentionally limited in the release notes to protect unpatched systems, the involvement of multiple security team members indicates their significance.

Additionally, this release fixes an issue with the Update manager routes not being properly disabled when allow_authorize_operations is set to FALSE, which could potentially allow access to routes that should be restricted.

The impact of this release is primarily focused on security hardening rather than new functionality or performance improvements. Site administrators should prioritize this update to protect their sites from potential security threats. The update process itself should be straightforward with minimal risk of introducing regressions, as this is a targeted security and bug fix release.

Statistics:

File Changed11
Line Additions27
Line Deletions23
Line Changes50
Total Commits5

User Affected:

  • Need to update their Drupal installations immediately to address critical security vulnerabilities
  • Will benefit from the fixed Update manager routes behavior when `allow_authorize_operations` is set to FALSE
  • Should review their site security after updating to ensure no compromise occurred

Contributors:

longwave