diff --git a/CHANGELOG.md b/CHANGELOG.md
index 43e8c8a..e74e8bc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,10 +26,10 @@
 - Added same-origin CSRF checks to sensitive POST routes and unified client IP detection for logging and security features.
 - Implemented shared per-IP rate limiting middleware covering login, MFA, and logout endpoints.
 - Updated UI assets and templates to expose MFA enrollment/challenge experiences in the portal.
-- Upgraded build stack: Go 1.25.3 base image with patched OpenSSL 3.3.5 and BusyBox fixes.
+- Upgraded build stack: Go 1.25.5 base image with patched OpenSSL 3.3.5 and BusyBox fixes.
 
 ### Upgrade Notes
-- Rebuild images to pull `modomofn/auth-portal:v2.0.2` (Go 1.25.3 base with patched OpenSSL 3.3.5 and BusyBox).
+- Rebuild images to pull `modomofn/auth-portal:v2.0.2` (Go 1.25.5 base with patched OpenSSL 3.3.5 and BusyBox).
 - Database migrations run automatically at startup to create `user_mfa` and `user_mfa_recovery_codes` tables and related columns.
 - Set `SESSION_COOKIE_DOMAIN` to the host scope you serve AuthPortal from so cookies survive redirects behind proxies.
 - New environment toggles control MFA behaviour: `MFA_ENABLE`, `MFA_ENFORCE`, and `MFA_ISSUER` (defaults provided).
diff --git a/README.md b/README.md
index c6b4951..fc90fb5 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 [![Docker Pulls](https://img.shields.io/docker/pulls/modomofn/auth-portal.svg)](https://hub.docker.com/r/modomofn/auth-portal)
 [![Docker Image Size](https://img.shields.io/docker/image-size/modomofn/auth-portal/latest)](https://hub.docker.com/r/modomofn/auth-portal)
-[![Go Version](https://img.shields.io/badge/Go-1.25.3%2B-00ADD8?logo=go)](https://go.dev/)
+[![Go Version](https://img.shields.io/badge/Go-1.25.5%2B-00ADD8?logo=go)](https://go.dev/)
 [![License: GPL-3.0](https://img.shields.io/badge/License-GPL3.0-green.svg)](https://github.com/modom-ofn/auth-portal?tab=GPL-3.0-1-ov-file#readme)
 [![Vibe Coded](https://img.shields.io/badge/Vibe_Coded-OpenAI_Codex-purple)](https://developers.openai.com/codex/windows)
 
@@ -542,7 +542,7 @@ CREATE TABLE IF NOT EXISTS pins (
 
 ## Build & Images
 
-- Go: `1.25.3` on `alpine:3.21`.
+- Go: `1.25.5` on `alpine:3.21`.
 - Builder installs `git` + CA certs, runs `go mod download` then `go mod tidy -compat=1.25`, builds with:
     - `-v -x` (verbose), `-buildvcs=false` (avoid VCS scans), `-trimpath`, `-ldflags "-s -w"`.
 - Runtime: `alpine:3.21`, installs CA certs + tzdata, runs as non-root `uid 10001`.
@@ -695,7 +695,7 @@ GPL-3.0  https://opensource.org/license/lgpl-3-0
 
 ## Upgrade Guide (from < v2.0.2)
 
-1) Rebuild or pull `modomofn/auth-portal:v2.0.3` so you pick up Go 1.25.3 plus the patched OpenSSL 3.3.5 / BusyBox layers.
+1) Rebuild or pull `modomofn/auth-portal:v2.0.3` so you pick up Go 1.25.5 plus the patched OpenSSL 3.3.5 / BusyBox layers.
 2) Set `SESSION_COOKIE_DOMAIN` to the host you serve AuthPortal from (e.g., `auth.example.com`) so session + pending-MFA cookies survive redirect flows.
 3) Decide on MFA posture:
    - Leave `MFA_ENABLE=1` to let users enroll.
diff --git a/auth-portal/Dockerfile b/auth-portal/Dockerfile
index af3478b..d0a61b5 100644
--- a/auth-portal/Dockerfile
+++ b/auth-portal/Dockerfile
@@ -1,5 +1,5 @@
 # ---- builder ----
-FROM golang:1.25.3-alpine3.21 AS build
+FROM golang:1.25.5-alpine3.21 AS build
 WORKDIR /src
 
 # Tools needed for fetching modules over HTTPS
diff --git a/auth-portal/go.mod b/auth-portal/go.mod
index a49ac27..6fc8260 100644
--- a/auth-portal/go.mod
+++ b/auth-portal/go.mod
@@ -2,7 +2,7 @@ module auth-portal
 
 go 1.25
 
-toolchain go1.25.3
+toolchain go1.25.5
 
 require (
 	github.com/DATA-DOG/go-sqlmock v1.5.2