diff --git a/lock.sbt b/lock.sbt
index a19d076aa..f77a5faa7 100644
--- a/lock.sbt
+++ b/lock.sbt
@@ -122,7 +122,7 @@ Compile / dependencyOverrides ++= {
       "org.apache.httpcomponents" % "httpcore" % "4.4.5",
       "org.apache.httpcomponents" % "httpcore-nio" % "4.4.5",
       "org.apache.logging.log4j" % "log4j-api" % "2.17.2",
-      "org.apache.logging.log4j" % "log4j-core" % "2.17.2",
+      "org.apache.logging.log4j" % "log4j-core" % "2.25.1",
       "org.apache.lucene" % "lucene-analyzers-common" % "7.7.3",
       "org.apache.lucene" % "lucene-backward-codecs" % "7.7.3",
       "org.apache.lucene" % "lucene-core" % "7.7.3",
diff --git a/project/Dependencies.scala b/project/Dependencies.scala
index 7e630835b..e83c33d43 100644
--- a/project/Dependencies.scala
+++ b/project/Dependencies.scala
@@ -155,7 +155,7 @@ object Dependencies {
     // and there's (as of 2025-07) nothing interesting in newer versions?
     // (Versions <= 2.17.0 are vulnerable.)
     //  log4jApi  = "org.apache.logging.log4j" % "log4j-api" % "..."   // not needed
-    val log4jCore = "org.apache.logging.log4j" % "log4j-core" % "2.17.2"  // needed
+    val log4jCore = "org.apache.logging.log4j" % "log4j-core" % "2.25.1"  // needed
 
 
     // ----- Metrics, tracing