How to do a TYPO3 security update?

Last modified:

As part of the (Extended) Long Term Support of a TYPO3 version, the TYPO3 Association regularly publishes minor and security updates (patches). These fix functional errors and close security gaps. The latter should definitely be applied promptly.

To find out if there are any security patches at all, it is advisable to join the official TYPO3 Anouncement List:

In our article about current TYPO3 versions and the release policy of TYPO3 you can find more information.

Minor updates are usually harmless. Nevertheless, so-called breaking changes, i.e. non-downward compatible changes, are possible. Among other things, this can lead to extensions causing problems.

This article describes only the implementation of maintenance or security updates. These can be recognised by the 3rd digit of the version number. For version 9.5.25, this would be 25. If there are higher versions (26,27,28,...), it is recommended to carry out an update according to these instructions.

General information on a TYPO3 update can be found here.

What are breaking changes?

One speaks of breaking changescwhen the replacement or update of a module leads to the fact that the overall system no longer works, because usually the interface of this module has changed. So changes have to be made in other parts of the system, which are not covered by the update. In TYPO3, breaking changes are mostly changes to the database structure (tables and fields) or to function parameters that serve as an interface for other modules.

The TYPO3 developers strive to have made all breaking changes of a major release already before the release of the LTS version (ideally even with the "zero version", e.g. "11.0"). In rare cases - especially if unavoidable when closing a security gap - breaking chages may still occur in LTS updates.

TYPO3 security update with composer

The update with the composer goes as follows:

  1. Log in to the web server with ssh and change to the installation directory.
  2. Now execute the following command here:


composer update "typo3/cms-*" -W



Security update with the install tool


You can perform TYPO3 security updates yourself using the install tool (or as of version 9 as a maintenance user). The following prerequisites must exist for this (with "web server" here the application is meant, e.g. Apache):

  • the TYPO3 system runs under a Unix derivative or iOS
  • the typo3_src directory is a symbolic link with write permissions for the web server
  • the webserver has write permissions to the webroot directory (usually ". "typo3")
  • the directory above the webroot directory must also be writable
  • the tar command must be available and executable by the web server

By setting the environment variable "TYPO3_DISABLE_CORE_UPDATER=1" this update function can be disabled. This must be adjusted in the configuration of the web server (e.g. by setting it to "0").

Security update with TYPO3 Version 10

  1. Log in to the TYPO3 backend as administrator.
  2. Go to "Update TYPO3 Core" under "Admin Tools
  3. Click on "Check for core updates 
  4. Click - if an update is available - on "Update now" (make backup before)
Perform security update in TYPO3 version 10

Be safe with us

You don't want to take care of it yourself? If you are looking for a service provider who takes care of the timely installation of security updates for you, you have come to the right place.


As a professional TYPO3 internet agency, we offer Service Level Agreements that include the automatic installation of security updates.