Drupal Release: 11.0.12

TL;DR

Drupal 11.0.12 is a critical security update that addresses three security advisories (SA-CORE-2025-001, SA-CORE-2025-002, and SA-CORE-2025-003). This release contains no new features or bug fixes outside of these security patches, making it essential for all Drupal 11.0.x site owners to update immediately to protect their sites from potential vulnerabilities.

Highlight of the Release

• Three critical security advisories addressed: SA-CORE-2025-001, SA-CORE-2025-002, and SA-CORE-2025-003
• Collaborative security fixes from multiple contributors
• Minimal codebase changes (48 total changes) focused exclusively on security patches

Migration Guide

No migration steps are required for this update. This is a direct security update from Drupal 11.0.11 to 11.0.12 and does not introduce any API changes or require database updates.

To update:

1. Back up your site's files and database
2. Update Drupal core using your preferred method:
   • Composer: composer update drupal/core --with-all-dependencies
   • Manual update: Download the latest release and replace the core files
3. Run database updates if prompted (though none are expected with this release)
4. Clear caches

No additional migration steps are needed beyond the standard update process.

Upgrade Recommendations

Immediate Update Strongly Recommended

This security release addresses multiple vulnerabilities that could potentially be exploited on unpatched sites. All site owners running Drupal 11.0.x should update to version 11.0.12 immediately.

The security team considers this update critical. Sites that remain on older versions may be vulnerable to attacks once the details of these security issues become public.

For sites unable to update immediately, consult the Drupal security advisories for potential mitigation strategies, though a full update is the only complete solution.

Bug Fixes

This release does not include general bug fixes outside of the security vulnerabilities that were addressed. All changes in this version are specifically targeted at resolving the security issues identified in SA-CORE-2025-001, SA-CORE-2025-002, and SA-CORE-2025-003.

New Features

This release does not contain any new features as it is exclusively focused on security fixes. All changes in this release are related to addressing the security vulnerabilities identified in the three security advisories.

Security Updates

Security Advisories Fixed

This release addresses three security advisories:

1. SA-CORE-2025-001: Security vulnerability fixed by contributors larsdesigns, bdanin, nuwans, dgroene, arkepp, juanramonperez, svendecabooter, wgunn_e, mcdruid, and catch.

2. SA-CORE-2025-002: Security vulnerability fixed by contributors jeff cardwell, benjifisher, poker10, and mingsong.

3. SA-CORE-2025-003: Security vulnerability fixed by contributors shin24, anzuukino, mcdruid, nicxvan, ghost of drupal past, and longwave.

The Drupal security team has not publicly disclosed the specific details of these vulnerabilities to prevent exploitation on sites that have not yet been updated. Full details about these security issues will be released after a sufficient time has passed to allow most users to update.

Performance Improvements

No specific performance improvements are included in this release. Drupal 11.0.12 is a security-focused update that does not introduce performance enhancements.

Impact Summary

Drupal 11.0.12 is a security-only release that addresses three security advisories. The impact is primarily focused on improving the security posture of Drupal sites by patching vulnerabilities that could potentially be exploited by malicious actors.

The release contains 48 changes across 10 files, with 25 additions and 23 deletions, indicating targeted fixes rather than extensive code changes. This suggests the security patches were implemented with minimal disruption to the codebase.

Since this is a security-only release, there are no functional changes, new features, or API modifications that would impact normal site operation. The only impact on users is the requirement to update their sites to maintain security.

Site administrators should prioritize this update to protect their sites from potential security threats. The collaborative nature of the fixes, with multiple contributors working on each security advisory, demonstrates the Drupal community's commitment to addressing security issues promptly and thoroughly.