Security update

This is a security release of the Drupal 10 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005
• Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006
• Drupal core - Moderately critical - Defacement - SA-CORE-2025-007
• Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008

Important update information

• SA-CORE-2025-005 removes a feature of an underlying library where request attributes can be manipulated. It is possible that some sites are actually relying on this feature. In this case, the behavior can be replicated by implementing a custom stack middleware to alter the incoming request.

• This release updates minimum versions of Symfony Framework libraries. The updated libraries include a fix for CVE-2025-64500. Drupal does not expose this vulnerability, but the update is included as a hardening for other applications that may extend the library directly.

This is a security release of the Drupal 10 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

This is a security release of the Drupal 11 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005
• Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006
• Drupal core - Moderately critical - Defacement - SA-CORE-2025-007
• Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008

Important update information

• SA-CORE-2025-005 removes a feature of an underlying library where request attributes can be manipulated. It is possible that some sites are actually relying on this feature. In this case, the behavior can be replicated by implementing a custom stack middleware to alter the incoming request.

• Symfony Framework released CVE-2025-64500 today. Drupal core does not expose this vulnerability.

  Drupal 11.1 has Symfony 7.2 as minimum version, which is no longer supported by Symfony as of this month (November 2025). Since Drupal is not affected by the Symfony security vulnerability, we are not raising the minimum Symfony version for Drupal 11.1. Sites can update to Symfony 7.3 via Composer if needed, or update to Drupal 11.2. Sites should also aim to update to Drupal 11.2 or higher before Drupal 11.1 reaches its end-of-life in December.

This is a security release of the Drupal 11 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005
• Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006
• Drupal core - Moderately critical - Defacement - SA-CORE-2025-007
• Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008

Important update information

• SA-CORE-2025-005 removes a feature of an underlying library where request attributes can be manipulated. It is possible that some sites are actually relying on this feature. In this case, the behavior can be replicated by implementing a custom stack middleware to alter the incoming request.

• This release updates minimum versions of Symfony Framework libraries. The updated libraries include a fix for CVE-2025-64500. Drupal does not expose this vulnerability, but the update is included as a hardening for other applications that may extend the library directly.

No other fixes are included.

Bug:

#3531139 Harden TFA code comparison against timing attacks

#3542974 Destination parameter not respected on login