Drupal Release: 11.0.13

TL;DR

Drupal 11.0.13 Security Release

This is a critical security update addressing vulnerabilities identified in SA-CORE-2025-004. The release contains important security fixes with minimal code changes (226 additions, 14 deletions across 9 files). All Drupal 11 site owners should update immediately to protect their sites from potential security threats.

Highlight of the Release

• Critical security update addressing vulnerabilities detailed in SA-CORE-2025-004
• Minimal code changes focused specifically on security issues
• Coordinated security release by the Drupal Security Team

Migration Guide

No migration steps are required for this update. This is a direct security update from Drupal 11.0.12 to 11.0.13 that should not affect site functionality.

To update:

1. Back up your site's files and database
2. Update Drupal core using your preferred method (Composer, Drush, or manual update)
3. Run database updates if prompted
4. Clear caches

No API changes or database schema changes are included in this security release.

Upgrade Recommendations

Immediate Update Strongly Recommended

All Drupal 11 site owners should update to version 11.0.13 immediately. This is a critical security release addressing vulnerabilities that could potentially be exploited.

The update process should be straightforward as this is a minor security release with minimal code changes. However, as with any update, it's recommended to:

1. Create a complete backup of your site before updating
2. Test the update on a staging environment if possible
3. Update production sites during a maintenance window
4. Verify site functionality after the update

If you cannot update immediately, consider temporarily taking your site offline until you can apply the security patches.

Bug Fixes

This release specifically addresses security vulnerabilities detailed in the security advisory SA-CORE-2025-004. The exact nature of the vulnerabilities is not disclosed in the commit message to prevent exploitation before users have had a chance to update.

New Features

No new features were introduced in this release. This is strictly a security update addressing vulnerabilities identified in SA-CORE-2025-004.

Security Updates

SA-CORE-2025-004 Security Advisory

This release addresses critical security vulnerabilities identified in the SA-CORE-2025-004 security advisory. The security team, including contributors samuel.mortenson, xjm, larowlan, pandaski, effulgentsia, jenlampton, mcdruid, longwave, benjifisher, bramdriesen, and phenaproxima, collaborated on these fixes.

The specific details of the vulnerabilities are intentionally not disclosed in detail to protect sites that have not yet been updated. After updating, site administrators should check the official Drupal Security Advisories for more information about the nature of the vulnerabilities that were addressed.

Performance Improvements

No specific performance improvements were mentioned in this security release. The changes were focused on addressing security vulnerabilities rather than performance enhancements.

Impact Summary

This security release addresses critical vulnerabilities in Drupal 11 that could potentially be exploited by malicious actors. The security team has coordinated a focused update with minimal code changes (226 additions, 14 deletions across 9 files) to address these issues.

The impact of not updating could be severe, potentially allowing unauthorized access to site data or functionality. The Drupal security team considers this update important enough to warrant an immediate release outside the normal release cycle.

Site owners who delay updating may put their sites at risk, especially once the details of the vulnerabilities become public knowledge. The relatively small scope of changes (240 total changes) indicates that the update should be straightforward to apply with minimal risk of disruption to site functionality.