diff --git a/artifacts/attributes.adoc b/artifacts/attributes.adoc
index 3a91f31946..ebf60fd2a7 100644
--- a/artifacts/attributes.adoc
+++ b/artifacts/attributes.adoc
@@ -11,8 +11,8 @@
 :product-short: Developer Hub
 :product-very-short: RHDH
 :product-version: 1.2
-:product-bundle-version: 1.2.4
-:product-chart-version: 1.2.4
+:product-bundle-version: 1.2.5
+:product-chart-version: 1.2.5
 :product-backstage-version: 1.26.5
 :rhdeveloper-name: Red Hat Developer
 :rhel: Red Hat Enterprise Linux
diff --git a/modules/release-notes/con-relnotes-fixed-issues.adoc b/modules/release-notes/con-relnotes-fixed-issues.adoc
index b34c4f0b32..9f4ca709a8 100644
--- a/modules/release-notes/con-relnotes-fixed-issues.adoc
+++ b/modules/release-notes/con-relnotes-fixed-issues.adoc
@@ -1,5 +1,5 @@
 [id='con-relnotes-fixed-issues_{context}']
-= Fixed issues in {product} {product-version} and 1.2.2
+= Fixed issues in {product} {product-version}
 
 == Fixed issues in {product} 1.2.2
 
@@ -220,6 +220,12 @@ With the release of the {product-short} 1.2.1 Helm chart, this is fixed.
 
 == Fixed security issues
 
+=== Fixed security issues in {product} 1.2.5
+
+include::snip-fixed-security-issues-in-product-1.2.5.adoc[leveloffset=+3]
+
+include::snip-fixed-security-issues-in-rpm-1.2.5.adoc[leveloffset=+3]
+
 === Fixed security issues in {product} 1.2.3
 
 This section lists fixed security issues with {product} 1.2.3:
diff --git a/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt b/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt
new file mode 100644
index 0000000000..170e53d939
--- /dev/null
+++ b/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt
@@ -0,0 +1,14 @@
+# CVE number, affected package, fixed in version(s), JIRA
+
+CVE-2024-43799,send,0.19.0,RHIDP-3946
+CVE-2024-43800,serve-static,1.16.0,RHIDP-3932
+CVE-2024-45590,body-parser,1.20.3,RHIDP-3916
+CVE-2024-37890,ws,8.17.1||7.5.10||6.2.3||5.2.4,RHIDP-4668
+
+# these are live, pending the release of 1.2.5
+CVE-2024-48949,elliptic,6.5.6,RHIDP-4417
+CVE-2024-21529,dset,3.1.4,RHIDP-3925
+CVE-2024-24791,net/http,go-toolset:1.21.13-2,RHIDP-3173
+CVE-2024-39249,async,2.6.4||3.2.5,RHIDP-3146
+CVE-2024-21536, http-proxy-middleware, , RHIDP-4921
+CVE-2024-21538, cross-spawn, , RHIDP-4865
diff --git a/modules/release-notes/list-fixed-security-issues-in-rpm-1.2.5.txt b/modules/release-notes/list-fixed-security-issues-in-rpm-1.2.5.txt
new file mode 100644
index 0000000000..5ea924b1f9
--- /dev/null
+++ b/modules/release-notes/list-fixed-security-issues-in-rpm-1.2.5.txt
@@ -0,0 +1,9 @@
+# RPM updates from Freshmaker (RHIDP-4218)
+CVE-2024-37371
+CVE-2024-37370
+CVE-2024-6923
+CVE-2024-39331
+CVE-2024-45490
+CVE-2024-45491
+CVE-2024-45492
+CVE-2024-6119
diff --git a/modules/release-notes/single-source-fixed-security-issues.sh b/modules/release-notes/single-source-fixed-security-issues.sh
new file mode 100755
index 0000000000..f4e547cec9
--- /dev/null
+++ b/modules/release-notes/single-source-fixed-security-issues.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+#
+# Copyright (c) 2024 Red Hat, Inc.
+# This program, and the accompanying materials are made
+# available under the terms of the Apache Public License 2.0,
+# available at http://www.apache.org/licenses/
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Single-source the release notes Fixed security issues section from Red Hat Security Data API.
+# See: https://docs.redhat.com/en/documentation/red_hat_security_data_api/1.0/html/red_hat_security_data_api/cve
+
+# Fail and stop on first error
+set -e
+
+# get the z-stream version from the bundle-version attribute. Note that while chart-version could be larger, this is the correct value for CVE tracking
+# if a different version is passed in than the value in 'product-bundle-version', generate content for that version instead
+if [[ $1 ]]; then product_version="$1"; else product_version="$(grep ':product-bundle-version:' artifacts/attributes.adoc | cut -d' ' -f2 )"; fi
+
+single_source_from_security_data () {
+  sectionname="fixed-security-issues-in-${section}-${product_version}"
+  dirname=$(dirname ${BASH_SOURCE})
+  destination="${dirname}/snip-${sectionname}.adoc"
+  list="${dirname}/list-${sectionname}.txt"
+  list_cleaned=""
+  # Assert that the list file exists.
+  if [ ! -f ${list} ]; then
+    echo "ERROR: The ${list} file is missing. You must create it to proceed. For a given version, can collect the list of CVEs from a JIRA query like https://issues.redhat.com/issues/?jql=labels%3DSecurityTracking+and+project%3DRHIDP+and+fixversion%3D1.3.1 or list of Erratas from https://errata.devel.redhat.com/advisory/filters/4213"
+    exit 1
+  fi
+  echo -e "= ${title}" > "$destination"
+  while IFS="" read -r cve || [ -n "$cve" ]; do
+    if [[ ${cve} != "#"* ]] && [[ $cve != "" ]]; then # skip commented and blank lines
+      list_cleaned="${list_cleaned}\n${cve%%,*}" # trim csv content after the CVE number
+    fi
+  done < "$list"
+  list_cleaned=$(echo -e "$list_cleaned" | sort -uV)
+  for cve in $list_cleaned; do
+    # Start the list.
+    # echo "[DEBUG] $cve ..."
+    echo -e "\nlink:https://access.redhat.com/security/cve/$cve[$cve]::" >> "$destination"
+    # Call the API to return a list of details.
+    # Red Hat is last if there is one.
+    # Red Hat details is single line.
+    # MITRE details are multiline.
+    # We keep Red Hat details if present.
+    # We keep only the first two lines on MITRE details.
+    curl -s "https://access.redhat.com/hydra/rest/securitydata/cve/$cve.json" | jq -r '.details[-1]' | head -n 2 >> "$destination"
+  done
+  # in 1.3, don't remove the 'modules/release-notes/' path prefix, just use ${destination} and use levelofset=+2
+  echo "include::${destination##*release-notes/}[leveloffset=+3]"
+}
+
+title="{product} dependency updates"
+section="product"
+single_source_from_security_data
+
+title="RHEL 9 platform RPM updates"
+section="rpm"
+single_source_from_security_data
+
+# in 1.3, this moves to assemblies/assembly-release-notes-fixed-security-issues.adoc
+echo "INFO: Verify that the modules/release-notes/con-relnotes-fixed-issues.adoc file contains aforementioned required include statements."
diff --git a/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc b/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc
new file mode 100644
index 0000000000..01e6f56e17
--- /dev/null
+++ b/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc
@@ -0,0 +1,31 @@
+= {product} dependency updates
+
+link:https://access.redhat.com/security/cve/CVE-2024-21529[CVE-2024-21529]::
+A flaw was found in the dset package. Affected versions of this package are vulnerable to Prototype Pollution via the dset function due to improper user input sanitization. This vulnerability allows the attacker to inject a malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program.
+
+link:https://access.redhat.com/security/cve/CVE-2024-21536[CVE-2024-21536]::
+A flaw was found in the http-proxy-middleware package. Affected versions of this package are vulnerable to denial of service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. This flaw allows an attacker to kill the Node.js process and crash the server by requesting certain paths.
+
+link:https://access.redhat.com/security/cve/CVE-2024-21538[CVE-2024-21538]::
+Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
+
+link:https://access.redhat.com/security/cve/CVE-2024-24791[CVE-2024-24791]::
+A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.
+
+link:https://access.redhat.com/security/cve/CVE-2024-37890[CVE-2024-37890]::
+A flaw was found in the Node.js WebSocket library (ws). A request with several headers exceeding the 'server.maxHeadersCount' threshold could be used to crash a ws server, leading to a denial of service.
+
+link:https://access.redhat.com/security/cve/CVE-2024-39249[CVE-2024-39249]::
+A flaw was found in the async Node.js package. A Regular expression Denial of Service (ReDoS) attack can potentially be triggered via the autoinject function while parsing specially crafted input.
+
+link:https://access.redhat.com/security/cve/CVE-2024-43799[CVE-2024-43799]::
+A flaw was found in the Send library. This vulnerability allows remote code execution via untrusted input passed to the SendStream.redirect() function.
+
+link:https://access.redhat.com/security/cve/CVE-2024-43800[CVE-2024-43800]::
+A flaw was found in serve-static. This issue may allow the execution of untrusted code via passing sanitized yet untrusted user input to redirect().
+
+link:https://access.redhat.com/security/cve/CVE-2024-45590[CVE-2024-45590]::
+A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled.
+
+link:https://access.redhat.com/security/cve/CVE-2024-48949[CVE-2024-48949]::
+A flaw was found in the Elliptic package. This vulnerability allows attackers to bypass EDDSA signature validation via improper handling of signature values where the S() component of the signature is not properly checked for being non-negative or smaller than the curve order.
diff --git a/modules/release-notes/snip-fixed-security-issues-in-rpm-1.2.5.adoc b/modules/release-notes/snip-fixed-security-issues-in-rpm-1.2.5.adoc
new file mode 100644
index 0000000000..b6681ab56c
--- /dev/null
+++ b/modules/release-notes/snip-fixed-security-issues-in-rpm-1.2.5.adoc
@@ -0,0 +1,25 @@
+= RHEL 9 platform RPM updates
+
+link:https://access.redhat.com/security/cve/CVE-2024-6119[CVE-2024-6119]::
+A flaw was found in OpenSSL. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process.
+
+link:https://access.redhat.com/security/cve/CVE-2024-6923[CVE-2024-6923]::
+A vulnerability was found in the email module that uses Python language. The email module doesn't properly quote new lines in email headers. This flaw allows an attacker to inject email headers that could, among other possibilities, add hidden email destinations or inject content into the email, impacting data confidentiality and integrity.
+
+link:https://access.redhat.com/security/cve/CVE-2024-37370[CVE-2024-37370]::
+A vulnerability was found in the MIT Kerberos 5 GSS krb5 wrap token, where an attacker can modify the plaintext Extra Count field, causing the unwrapped token to appear truncated to the application, occurs when the attacker alters the token data during transmission which can lead to improper handling of authentication tokens.
+
+link:https://access.redhat.com/security/cve/CVE-2024-37371[CVE-2024-37371]::
+A vulnerability was found in the MIT Kerberos 5 GSS krb5 wrap token, where an attacker can modify the plaintext Extra Count field, causing the unwrapped token to appear truncated to the application, occurs when the attacker alters the token data during transmission which can lead to improper handling of authentication tokens.
+
+link:https://access.redhat.com/security/cve/CVE-2024-39331[CVE-2024-39331]::
+A flaw was found in Emacs. Arbitrary shell commands can be executed without prompting when an Org mode file is opened or when the Org mode is enabled, when Emacs is used as an email client, this issue can be triggered when previewing email attachments.
+
+link:https://access.redhat.com/security/cve/CVE-2024-45490[CVE-2024-45490]::
+A flaw was found in libexpat's xmlparse.c component. This vulnerability allows an attacker to cause improper handling of XML data by providing a negative length value to the XML_ParseBuffer function.
+
+link:https://access.redhat.com/security/cve/CVE-2024-45491[CVE-2024-45491]::
+An issue was found in libexpat’s internal dtdCopy function in xmlparse.c, It can have an integer overflow for nDefaultAtts on 32-bit platforms where UINT_MAX equals SIZE_MAX.
+
+link:https://access.redhat.com/security/cve/CVE-2024-45492[CVE-2024-45492]::
+A flaw was found in libexpat's internal nextScaffoldPart function in xmlparse.c. It can have an integer overflow for m_groupSize on 32-bit platforms where UINT_MAX equals SIZE_MAX.