diff --git a/.circleci/config.yml b/.circleci/config.yml
index 86402119c..04f48112e 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -13,7 +13,7 @@ jobs:
   build:
     parallelism: 8
     docker:
-      - image: cimg/go:1.21
+      - image: cimg/go:1.25
     steps:
       - checkout
 
@@ -37,7 +37,7 @@ jobs:
 
   report:
     docker:
-      - image: cimg/go:1.21
+      - image: cimg/go:1.25
     steps:
       - checkout
       - attach_workspace:
diff --git a/Dockerfile b/Dockerfile
index 0c388b205..75b2c108f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # golang alpine
-FROM golang:1.24.6-alpine AS builder
+FROM golang:1.25.3-alpine AS builder
 
 ARG TARGETARCH
 ARG TARGETOS
@@ -21,7 +21,7 @@ COPY . .
 RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -ldflags="-w -s -X 'github.com/nuts-foundation/nuts-node/core.GitCommit=${GIT_COMMIT}' -X 'github.com/nuts-foundation/nuts-node/core.GitBranch=${GIT_BRANCH}' -X 'github.com/nuts-foundation/nuts-node/core.GitVersion=${GIT_VERSION}'" -o /opt/nuts/nuts
 
 # alpine
-FROM alpine:3.22.0
+FROM alpine:3.22.2
 RUN apk update \
   && apk add --no-cache \
              tzdata \
diff --git a/docs/pages/release_notes.rst b/docs/pages/release_notes.rst
index 496b34447..13dc23087 100644
--- a/docs/pages/release_notes.rst
+++ b/docs/pages/release_notes.rst
@@ -3,6 +3,23 @@
 Release notes
 #############
 
+*************************
+Hazelnut update (v5.4.20)
+*************************
+
+Release date: 2025-11-03
+
+- Update Go version to fix https://pkg.go.dev/vuln/GO-2025-4007,
+  https://pkg.go.dev/vuln/GO-2025-4008,
+  https://pkg.go.dev/vuln/GO-2025-4009,
+  https://pkg.go.dev/vuln/GO-2025-4010,
+  https://pkg.go.dev/vuln/GO-2025-4011,
+  https://pkg.go.dev/vuln/GO-2025-4012,
+  https://pkg.go.dev/vuln/GO-2025-4013, and
+  https://pkg.go.dev/vuln/GO-2025-4014
+
+**Full Changelog**: https://github.com/nuts-foundation/nuts-node/compare/v5.4.19...v5.4.20
+
 *************************
 Hazelnut update (v5.4.19)
 *************************
diff --git a/go.mod b/go.mod
index 7d2cc9473..db4f1a022 100644
--- a/go.mod
+++ b/go.mod
@@ -2,7 +2,7 @@ module github.com/nuts-foundation/nuts-node
 
 // This is the minimal version, the actual go version is determined by the images in the Dockerfile
 // This version is used in automated tests such as the 'Scheduled govulncheck' action
-go 1.24.6
+go 1.25.3
 
 require (
 	github.com/alicebob/miniredis/v2 v2.33.0