Drupal Release: 10.3.14

TL;DR

Drupal 10.3.14 Security Release

This is a critical security update addressing vulnerabilities identified in SA-CORE-2025-004. All Drupal 10.3.x sites should upgrade immediately to version 10.3.14 to protect against potential security threats. This release focuses exclusively on security fixes with no new features or other changes.

Highlight of the Release

• Critical security update addressing vulnerabilities detailed in SA-CORE-2025-004
• Collaborative security fix developed by multiple core contributors
• Focused security release with no additional feature changes

Migration Guide

No migration steps are required for this security update. Simply update your Drupal core from version 10.3.13 to 10.3.14 following standard Drupal update procedures:

1. Back up your database and site files
2. Put your site in maintenance mode
3. Update Drupal core using your preferred method (Composer, Drush, or manual update)
4. Run the database updates
5. Clear caches
6. Take your site out of maintenance mode

If you're using Composer:

composer update drupal/core --with-all-dependencies

If you're using Drush:

drush up drupal

Upgrade Recommendations

Immediate Update Strongly Recommended

This security update addresses critical vulnerabilities and should be applied immediately to all Drupal 10.3.x sites. The update is a direct path from 10.3.13 to 10.3.14 with no known compatibility issues.

Priority: Critical Timing: Immediate Difficulty: Standard security update with no special considerations

Sites running earlier versions of Drupal 10 should first update to 10.3.13, then apply this security update. Sites on Drupal 9 or earlier should refer to the Drupal security advisories for guidance on securing their specific version.

Bug Fixes

This release does not include general bug fixes as it is a targeted security update. All changes are related to security vulnerabilities described in SA-CORE-2025-004.

New Features

No new features were introduced in this release as it is exclusively focused on addressing security vulnerabilities identified in SA-CORE-2025-004.

Security Updates

Security Advisory: SA-CORE-2025-004

This release addresses critical security vulnerabilities identified in SA-CORE-2025-004. The Drupal security team, along with contributors samuel.mortenson, xjm, larowlan, pandaski, effulgentsia, jenlampton, mcdruid, longwave, benjifisher, bramdriesen, and phenaproxima, collaborated on these fixes.

For security reasons, specific details about the vulnerabilities are not disclosed in the release notes. Site administrators should refer to the official Drupal Security Advisory for complete information about the nature of the vulnerabilities and any additional steps that may be required beyond updating.

The security team recommends updating immediately to mitigate potential risks.

Performance Improvements

No specific performance improvements were included in this security-focused release.

Impact Summary

This security release addresses critical vulnerabilities that could potentially expose Drupal sites to various threats. The security team has coordinated a response with multiple core contributors to ensure a comprehensive fix.

The update contains 240 changes across 9 files, with 226 additions and 14 deletions, indicating a focused but significant security patch. The nature of these changes suggests they address specific attack vectors without requiring architectural changes to Drupal core.

Site administrators should prioritize this update above regular maintenance tasks due to its security implications. While no specific exploits have been publicly detailed (as is standard practice for security releases), the involvement of numerous security team members indicates the seriousness of the addressed vulnerabilities.