Drupal Release: 10.4.5

TL;DR

Drupal 10.4.5 is a security release that addresses critical vulnerabilities identified as SA-CORE-2025-004. This update is essential for maintaining the security integrity of your Drupal installation and protecting your site from potential exploits. All Drupal 10.4.x users should upgrade immediately to version 10.4.5.

Highlight of the Release

• Critical security update addressing vulnerabilities identified as SA-CORE-2025-004
• Collaborative security fix developed by multiple core contributors
• Minimal changes focused specifically on security patches

Migration Guide

No migration steps are required for this security update. Simply follow the standard Drupal update procedure:

1. Back up your database and site files
2. Put your site into maintenance mode
3. Update Drupal core files to version 10.4.5
4. Run the update script by visiting /update.php in your browser
5. Take your site out of maintenance mode

If you're using Composer to manage your site:

composer update drupal/core --with-all-dependencies

Then run any database updates and clear caches.

Upgrade Recommendations

Immediate Upgrade Strongly Recommended

This security release addresses critical vulnerabilities that could potentially be exploited on unpatched sites. All users running Drupal 10.4.x should upgrade to Drupal 10.4.5 immediately.

If you cannot update immediately, consider temporarily taking your site offline until you can complete the update process.

For sites on older versions of Drupal:

• If you're on Drupal 10.3.x or earlier, update to the latest security release for your version branch
• If you're on Drupal 9.x, consider upgrading to Drupal 10 as Drupal 9 support is ending
• If you're on Drupal 7, ensure you're on the latest security release as extended support continues

Bug Fixes

This release primarily addresses security vulnerabilities rather than functional bugs. The specific details of the security issues are documented in the security advisory SA-CORE-2025-004, which would be available on the Drupal security advisories page after the release.

New Features

No new features were introduced in this release. Drupal 10.4.5 is strictly a security update focused on patching vulnerabilities.

Security Updates

Security Advisory SA-CORE-2025-004

This release fixes critical security vulnerabilities identified in the Drupal core. The security team, along with multiple contributors (samuel.mortenson, xjm, larowlan, pandaski, effulgentsia, jenlampton, mcdruid, longwave, benjifisher, bramdriesen, phenaproxima), collaborated to address these issues.

Specific details about the vulnerabilities are typically withheld for a period after release to allow users time to update before exploitation details become widely known. For complete information, refer to the official security advisory on the Drupal security advisories page.

Performance Improvements

No specific performance improvements were included in this release. The focus was exclusively on addressing security vulnerabilities.

Impact Summary

This security release addresses critical vulnerabilities in Drupal core that could potentially be exploited by malicious actors. The security team has coordinated with multiple contributors to develop and release these fixes promptly.

The impact of not upgrading could be severe, potentially allowing unauthorized access to your site, data exposure, or site compromise. The security fixes in this release are essential for maintaining the integrity and security of your Drupal installation.

With 240 changes across 9 files (226 additions, 14 deletions), this update is focused specifically on security patches rather than new features or general improvements. The targeted nature of these changes indicates a careful approach to addressing the identified vulnerabilities without introducing unnecessary modifications.