Drupal Release: 11.1.3

TL;DR

Drupal 11.1.3 is a security release that addresses multiple critical vulnerabilities. This update includes three security advisories (SA-CORE-2025-001, SA-CORE-2025-002, and SA-CORE-2025-003) with fixes contributed by numerous security team members. All Drupal 11 site owners should update immediately to protect their sites from potential security exploits.

Highlight of the Release

• Three critical security advisories addressed: SA-CORE-2025-001, SA-CORE-2025-002, and SA-CORE-2025-003
• Collaborative security fixes from multiple Drupal security team members
• Immediate update recommended for all Drupal 11 sites

Migration Guide

No special migration steps are required for this security update. Standard Drupal update procedures apply:

1. Back up your database and site files before updating
2. Update Drupal core to version 11.1.3 using your preferred method (Composer, Drush, or manual update)
3. Run the database update script (update.php) if prompted
4. Clear caches

For detailed instructions on updating Drupal core, refer to the Updating Drupal Core documentation.

Upgrade Recommendations

Immediate update strongly recommended

This is a critical security release addressing multiple vulnerabilities. All site owners running Drupal 11.x should update to version 11.1.3 immediately to protect their sites from potential security exploits.

If you are unable to update immediately, consider temporarily taking your site offline or implementing additional security measures until the update can be applied.

Bug Fixes

This release primarily addresses security vulnerabilities rather than functional bugs. The specific details of the security issues fixed are documented in the security advisories SA-CORE-2025-001, SA-CORE-2025-002, and SA-CORE-2025-003, which can be found on the Drupal Security Advisories page.

New Features

No new features were introduced in this release as it focuses exclusively on security fixes.

Security Updates

This release addresses three security advisories:

SA-CORE-2025-001

A critical security vulnerability that was fixed with contributions from multiple security team members including larsdesigns, bdanin, nuwans, dgroene, arkepp, juanramonperez, svendecabooter, wgunn_e, mcdruid, and catch.

SA-CORE-2025-002

A security vulnerability addressed by jeff cardwell, benjifisher, poker10, and mingsong.

SA-CORE-2025-003

A security vulnerability fixed by shin24, anzuukino, mcdruid, nicxvan, ghost of drupal past, and longwave.

For detailed information about these vulnerabilities, including their nature, impact, and mitigation strategies, please refer to the official Drupal Security Advisories page.

Performance Improvements

No specific performance improvements were included in this security-focused release.

Impact Summary

Drupal 11.1.3 is a security-focused release that addresses three critical security advisories (SA-CORE-2025-001, SA-CORE-2025-002, and SA-CORE-2025-003). While the specific details of these vulnerabilities are not fully disclosed in the commit messages to prevent exploitation, the involvement of numerous security team members indicates the importance of these fixes.

The release contains 60 changes across 11 files, with 25 additions and 35 deletions, suggesting targeted fixes rather than extensive code changes. This update is crucial for maintaining the security integrity of Drupal 11 sites and protecting them from potential exploits.

Site administrators should prioritize this update and apply it immediately to all Drupal 11 installations. No new features or performance improvements are included, as this release is focused exclusively on addressing security vulnerabilities.