diff --git a/CHANGELOG.md b/CHANGELOG.md
index 410deb3f87..61f1d9b0f8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -58,7 +58,13 @@ RELEASING:
 ### Fixed
 - do not enforce a time-dependent routing algorithm unless the weighting requires it ([#1865](https://github.com/GIScience/openrouteservice/pull/1865))
 - failing queries that combined departure/arrival parameters with avoid polygons ([#1871](https://github.com/GIScience/openrouteservice/pull/1871))
-- matrix limit ignored for explicit 'all' value in sources or destinations([#1875](https://github.com/GIScience/openrouteservice/pull/1875))
+- matrix limit ignored for explicit 'all' value in sources or
+  destinations ([#1875](https://github.com/GIScience/openrouteservice/pull/1875))
+
+### Security
+
+- updated graphhopper dependency with fix for
+  CVE-2024-7254 ([#1918](https://github.com/GIScience/openrouteservice/pull/1918))
 
 ## [8.2.0] - 2024-10-09
 ### Added
diff --git a/pom.xml b/pom.xml
index bad3ed8504..b7a654b88b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -49,7 +49,7 @@
         <maven.build.timestamp.format>yyyy-MM-dd'T'HH:mm:ss'Z'</maven.build.timestamp.format>
 
         <!-- switch graphhopper versions to enable debugging -->
-        <graphhopper.version>v4.9.4</graphhopper.version>
+        <graphhopper.version>v4.9.5</graphhopper.version>
         <!--graphhopper.version>v4.9-SNAPSHOT</graphhopper.version-->
         <lombok.version>1.18.34</lombok.version>
         <slf4j.version>2.0.13</slf4j.version>