diff --git a/Makefile b/Makefile
index 88e841f0ced..1720a185bad 100644
--- a/Makefile
+++ b/Makefile
@@ -89,7 +89,7 @@ else
   endif
 endif
 
-ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:1.25.8-patch1
+ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:1.25.9-patch1
 
 # The full SHA of the currently checked out commit
 CHECKED_OUT_SHA := $(shell git rev-parse HEAD)
diff --git a/changelog/v1.14.13/bump-envoy-gloo.yaml b/changelog/v1.14.13/bump-envoy-gloo.yaml
new file mode 100644
index 00000000000..45b9c18b560
--- /dev/null
+++ b/changelog/v1.14.13/bump-envoy-gloo.yaml
@@ -0,0 +1,12 @@
+changelog:
+- type: DEPENDENCY_BUMP
+  description: Bump envoy gloo to latest v1.25.9-patch1
+  dependencyOwner: solo-io
+  dependencyRepo: envoy-gloo
+  dependencyTag: v1.25.9-patch1
+- type: FIX
+  issueLink: https://github.com/solo-io/solo-projects/issues/5138
+  resolvesIssue: false
+  description: >
+    Pulls in upstream Envoy v1.25.9-patch1, which resolves
+    CVE-2023-35941, CVE-2023-35942, CVE-2023-35944, and CVE-2023-35945