Application Management and Patching
May 2025 Third-Party Patches: Notable Vulnerabilities and Updates
In May 2025, 79 vulnerable applications received 129 updates. These updates remediate 107 unique vulnerabilities. In other words, May isn’t that different from previous months. This month, prioritize zero-day vulnerabilities and those with high Exploit Prediction Scoring System (EPSS) scores.
Notable Vulnerabilities in May 2025 Third-Party Patches
There were two zero-day vulnerabilities in May. CVE-2025-27363 is a dependency vulnerability affecting Gpg4win (GNU Privacy Guard for Windows) caused by FreeType in 2.13.0 and below. An out-of-bounds write can occur when parsing font subglyph structures for TrueType GX and variable fonts. The code assigns a signed short to an unsigned long, adds a static value, and causes a wraparound, leading to inadequate heap buffer allocation. For more details, see the Gpg4win release notes and the NVD entry.
CVE-2025-4664 is a zero-day flaw that affects several Chromium-based products, including Electron, Microsoft Edge for Business, Google Chrome, Vivaldi, Brave Browser, Burp Suite, and Opera One. A vulnerability in the Loader component of Google Chrome prior to version 136.0.7103.113 allowed remote attackers to exploit insufficient policy enforcement, leading to the potential leakage of cross-origin data through a specially crafted HTML page. For more information, refer to the Google Chrome release notes.
The Exploit Prediction Scoring System (EPSS) scores for the two zero-days are 0.68 and 0.024. Given these scores, prioritize patching these two vulnerabilities first. Another high-risk issue is CVE-2023-48795, affecting TurboVNC, with an EPSS score of 0.67. The flaw originates in a dependency used by OpenSSH before 9.6 (and other products) and can let remote attackers bypass integrity checks. For more information, consult the TurboVNC release notes and NVD entry.
Browser Security Updates in May 2025
| Browser | Vulnerabilities | Updates |
| Google Chrome | 16 | 4 |
| Microsoft Edge | 29 | 3 |
| Brave Browser | 3 | 2 |
| Pale Moon | 2 | 1 |
| Mozilla Firefox | 12 | 2 |
| Mozilla Firefox ESR 115 | 6 | 2 |
| Mozilla Firefox ESR 128 | 9 | 2 |
| Opera One | 1 | 1 |
| Vivaldi | 3 | 2 |
| Waterfox | 19 | 2 |
Microsoft Product Updates Included in May 2025 Third-Party Patches
In addition to Edge, Microsoft issued security updates for several other products.
- Microsoft .NET Runtime 8.0
- Microsoft .NET Runtime 9.0
- Microsoft .NET SDK 8.0
- Microsoft .NET SDK 9.0
- Microsoft 365 Apps
- Microsoft ASP.NET Core Runtime 8.0
- Microsoft ASP.NET Core Runtime 9.0
- Microsoft ASP.NET Core Runtime Hosting Bundle 8.0
- Microsoft ASP.NET Core Runtime Hosting Bundle 9.0
- Microsoft Edge Beta
- Microsoft Edge for Business
- Microsoft Visual Studio 2017 Community
- Microsoft Visual Studio 2017 Enterprise
- Microsoft Visual Studio 2017 Professional
- Microsoft Visual Studio 2019 Community
- Microsoft Visual Studio 2019 Enterprise
- Microsoft Visual Studio 2019 Professional
- Microsoft Visual Studio 2022 Community
- Microsoft Visual Studio 2022 Enterprise
- Microsoft Visual Studio 2022 Professional
- Microsoft Visual Studio Code
- Microsoft Visual Studio Feedback Client 2017
- Microsoft Visual Studio Team Explorer 2017
- Microsoft Visual Studio Team Explorer 2019
- Microsoft Visual Studio Team Explorer 2022
- Microsoft Windows Desktop Runtime 8.0
- Microsoft Windows Desktop Runtime 9.0
Detailed List of May 2025 Third-Party Patches
For a complete list of applications, versions, and the number of remediated vulnerabilities, see the table below generated using Application Workspace data.
| ProductName | VersionName | Vulnerabilities remediated |
| Apache Tomcat 10 | 10.1.41 | 1 |
| Apache Tomcat 11 | 11.0.7 | 1 |
| Apache Tomcat 9 | 9.0.105 | 1 |
| Brave Browser | 1.78.102 | 2 |
| Brave Browser | 1.78.97 | 1 |
| Burp Suite Community Edition | 2025.4.2 | 4 |
| Burp Suite Community Edition | 2025.5.1 | 2 |
| Burp Suite Professional Edition | 2025.4.2 | 4 |
| Burp Suite Professional Edition | 2025.5.1 | 2 |
| Chef Workstation | 25.5.1084 | 12 |
| Chef Workstation for Windows | 25.5.1084 | 12 |
| Electron | 34.5.7 | 2 |
| Electron | 35.5.0 | 2 |
| EnterpriseDB Corporation PostgreSQL 13 | 13.21.1 | 1 |
| EnterpriseDB Corporation PostgreSQL 14 | 14.18.1 | 1 |
| EnterpriseDB Corporation PostgreSQL 15 | 15.13.1 | 1 |
| EnterpriseDB Corporation PostgreSQL 16 | 16.9.1 | 1 |
| EnterpriseDB Corporation PostgreSQL 17 | 17.5 | 1 |
| EnterpriseDB Corporation PostgreSQL 17 | 17.5.1 | 1 |
| GNU Emacs | 30.1.0 | 2 |
| Google Chrome for Business | 136.0.7103.114 | 2 |
| Google Chrome for Business | 136.0.7103.93 | 1 |
| Google Chrome for Business | 137.0.7151.41 | 5 |
| Google Chrome for Business | 137.0.7151.56 | 8 |
| Google Go Programming Language 1.24 | 1.24.3 | 1 |
| Gpg4win | 4.4.1.63067 | 1 |
| IBM Semeru Runtime Open Edition JDK 11 (LTS) | 11.0.27.6 | 3 |
| IBM Semeru Runtime Open Edition JDK 17 (LTS) | 17.0.15.6 | 3 |
| IBM Semeru Runtime Open Edition JDK 8 (LTS) | 8.0.452.9 | 4 |
| IBM Semeru Runtime Open Edition JRE 11 (LTS) | 11.0.27.6 | 3 |
| IBM Semeru Runtime Open Edition JRE 17 (LTS) | 17.0.15.6 | 3 |
| IBM Semeru Runtime Open Edition JRE 8 (LTS) | 8.0.452.9 | 4 |
| Liberica JDK | 11.0.27.9 | 5 |
| Liberica JDK | 17.0.15.10 | 5 |
| Liberica JDK | 8.0.452.11 | 5 |
| Liberica JDK Lite | 11.0.27.9 | 5 |
| Liberica JDK Lite | 21.0.7.9 | 5 |
| Liberica JDK Lite | 8.0.452.11 | 5 |
| Liberica JRE | 11.0.27.9 | 5 |
| Liberica JRE | 21.0.7.9 | 5 |
| Liberica JRE | 8.0.452.11 | 5 |
| MariaDB Server 10.11 | 10.11.12 | 5 |
| MariaDB Server 10.5 | 10.5.29.0 | 4 |
| MariaDB Server 10.6 | 10.6.22 | 4 |
| MariaDB Server 11.4 | 11.4.6 | 5 |
| Microsoft .NET Runtime 8.0 | 8.0.16 | 1 |
| Microsoft .NET Runtime 8.0 | 8.0.16.34815 | 1 |
| Microsoft .NET Runtime 9.0 | 9.0.5 | 1 |
| Microsoft .NET SDK 8.0 | 8.0.409 | 1 |
| Microsoft .NET SDK 8.0 | 8.0.410 | 1 |
| Microsoft .NET SDK 8.0 | 8.4.1025.26616 | 1 |
| Microsoft .NET SDK 8.0 | 8.4.925.21804 | 1 |
| Microsoft .NET SDK 9.0 | 9.0.300 | 1 |
| Microsoft 365 Apps | 16.97.25051114 | 11 |
| Microsoft 365 Apps | 2408 (Build 16.0.17928.20538) | 13 |
| Microsoft 365 Apps | 2503 (Build 16.0.18623.20266) | 13 |
| Microsoft 365 Apps | 2504 (Build 16.0.18730.20168) | 13 |
| Microsoft ASP.NET Core Runtime 8.0 | 8.0.16 | 1 |
| Microsoft ASP.NET Core Runtime 8.0 | 8.0.16.25216 | 1 |
| Microsoft ASP.NET Core Runtime 9.0 | 9.0.5 | 1 |
| Microsoft ASP.NET Core Runtime Hosting Bundle 8.0 | 8.0.16.25216 | 1 |
| Microsoft ASP.NET Core Runtime Hosting Bundle 9.0 | 9.0.5 | 1 |
| Microsoft Edge Beta | 136.0.3240.50 | 5 |
| Microsoft Edge Beta | 137.0.3296.52 | 13 |
| Microsoft Edge Beta | 137.0.3296.52 | 11 |
| Microsoft Edge for Business | 136.0.3240.50 | 5 |
| Microsoft Edge for Business | 136.0.3240.64 | 1 |
| Microsoft Edge for Business | 136.0.3240.76 | 2 |
| Microsoft Edge for Business | 137.0.3296.52 | 11 |
| Microsoft Edge for Business | 137.0.3296.52 | 13 |
| Microsoft Visual Studio 2017 Community | 15.9.36101.55 | 2 |
| Microsoft Visual Studio 2017 Enterprise | 15.9.36101.55 | 2 |
| Microsoft Visual Studio 2017 Professional | 15.9.36101.55 | 2 |
| Microsoft Visual Studio 2019 Community | 16.11.36107.64 | 3 |
| Microsoft Visual Studio 2019 Enterprise | 16.11.36107.64 | 3 |
| Microsoft Visual Studio 2019 Professional | 16.11.36107.64 | 3 |
| Microsoft Visual Studio 2022 Community | 17.14.36109.1 | 3 |
| Microsoft Visual Studio 2022 Enterprise | 17.10.36105.31 | 3 |
| Microsoft Visual Studio 2022 Enterprise | 17.10.36117.0 | 1 |
| Microsoft Visual Studio 2022 Enterprise | 17.12.36106.13 | 3 |
| Microsoft Visual Studio 2022 Enterprise | 17.14.36109.1 | 3 |
| Microsoft Visual Studio 2022 Enterprise | 17.8.36105.29 | 3 |
| Microsoft Visual Studio 2022 Professional | 17.10.36105.31 | 3 |
| Microsoft Visual Studio 2022 Professional | 17.10.36117.0 | 1 |
| Microsoft Visual Studio 2022 Professional | 17.12.36106.13 | 3 |
| Microsoft Visual Studio 2022 Professional | 17.14.36109.1 | 3 |
| Microsoft Visual Studio 2022 Professional | 17.8.36105.29 | 3 |
| Microsoft Visual Studio Code | 1.100.1 | 1 |
| Microsoft Visual Studio Feedback Client 2017 | 15.9.36101.55 | 2 |
| Microsoft Visual Studio Team Explorer 2017 | 15.9.36101.55 | 2 |
| Microsoft Visual Studio Team Explorer 2019 | 16.11.36107.64 | 3 |
| Microsoft Visual Studio Team Explorer 2022 | 17.14.36109.1 | 3 |
| Microsoft Windows Desktop Runtime 8.0 | 8.0.16.34817 | 1 |
| Microsoft Windows Desktop Runtime 9.0 | 9.0.5 | 1 |
| Mozilla Firefox | 138.0.4 | 2 |
| Mozilla Firefox | 139.0 | 10 |
| Mozilla Firefox ESR 115 | 115.23.1 | 2 |
| Mozilla Firefox ESR 115 | 115.24.0 | 4 |
| Mozilla Firefox ESR 128 | 128.10.1 | 2 |
| Mozilla Firefox ESR 128 | 128.11.0 | 7 |
| Mozilla Thunderbird | 138.0.1 | 4 |
| Mozilla Thunderbird | 139.0 | 9 |
| Mozilla Thunderbird ESR 128 | 128.10.1 | 4 |
| Mozilla Thunderbird ESR 128 | 128.10.2 | 2 |
| Mozilla Thunderbird ESR 128 | 128.11.0 | 7 |
| Node.js 20 LTS | 20.19.2 | 4 |
| Node.js 22 LTS | 22.15.1 | 2 |
| Node.js 23 | 23.11.1 | 1 |
| Node.js 24 | 24.0.2 | 1 |
| Opera One | 119.0.5497.38 | 1 |
| Rider | 2025.1.2 | 1 |
| Studio 3T | 2025.8.0 | 2 |
| TeamCity | 2025.03.2 | 4 |
| TurboVNC | 3.2 | 1 |
| Vivaldi | 7.3.3635.12 | 1 |
| Vivaldi | 7.3.3635.14 | 2 |
| VMware Tools 12 | 12.4.7.24697291 | 1 |
| VMware Tools 12 | 12.5.2.24697584 | 1 |
| Waterfox | 6.5.7 | 9 |
| Waterfox | 6.5.7 | 10 |
Conclusion
Fast third-party patching protects your environment. May’s updates close critical gaps across browsers and apps—tightening security and boosting uptime. Check back next month for fresh insights.
For a deeper look into how third-party patch management reduces your attack surface, explore our eBook Reduce Your Attack Footprint or follow our App Management and Patching series.
