diff --git a/_service b/_service
index 60e64f3..147b1ad 100644
--- a/_service
+++ b/_service
@@ -16,5 +16,7 @@
     <param name="compression">xz</param>
   </service>
   <service name="go_modules" mode="manual">
+    <!-- Fix CVE-2025-47913 (GO-2025-4116, bsc#1253608) -->
+    <param name="replace">golang.org/x/crypto=golang.org/x/crypto@v0.43.0</param>
   </service>
 </services>
diff --git a/act-0.2.64.tar.xz b/act-0.2.64.tar.xz
index 2ecd85a..0161e83 100644
--- a/act-0.2.64.tar.xz
+++ b/act-0.2.64.tar.xz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:ae5acc55842f84505d6efe799c92a2728c03461c64585880489a9069dec090b9
-size 5763472
+oid sha256:0d1eb2dd449780da58f314a6608abbe93d60a11ff44f8ee3703fa0771387152d
+size 5754784
diff --git a/act.changes b/act.changes
index 5308fe4..a40efe2 100644
--- a/act.changes
+++ b/act.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Sat Nov 29 21:42:23 UTC 2025 - Matthias Eliasson <elimat@opensuse.org>
+
+- Update vendored golang.org/x/crypto to v0.43.0 to fix
+  CVE-2025-47913 (bsc#1253608, GO-2025-4116):
+  SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed
+  response will panic and cause early termination of the client
+  process.
+
 -------------------------------------------------------------------
 Tue Jul 02 11:23:19 UTC 2024 - kskarthik@disroot.org
 
diff --git a/vendor.tar.gz b/vendor.tar.gz
index e2146de..a2d6f02 100644
--- a/vendor.tar.gz
+++ b/vendor.tar.gz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:494c94913da596805f88626077463c90c4a47950de466f265d6f843126569867
-size 5416191
+oid sha256:08a6ac50a004f65ee499a988878283cdb04ae741e67be187a099b16b4c77c9f8
+size 5592855