diff --git a/VERSION b/VERSION
index 868b3aa82451..e0a6b34fb0aa 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.12.5-dev
+1.12.5
diff --git a/docs/root/intro/version_history.rst b/docs/root/intro/version_history.rst
index f37428a46186..aadd6b244884 100644
--- a/docs/root/intro/version_history.rst
+++ b/docs/root/intro/version_history.rst
@@ -1,12 +1,14 @@
 Version history
 ---------------
 
-1.12.5 (Pending)
-================
-* http: the :ref:`stream_idle_timeout <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.stream_idle_timeout>`
-  now also defends against an HTTP/2 peer that does not open stream window once an entire response has been buffered to be sent to a downstream client.
-* listener: add runtime support for `per-listener limits <config_listeners_runtime>` on active/accepted connections.
-* overload management: add runtime support for :ref:`global limits <config_overload_manager>` on active/accepted connections.
+1.12.5 (June 30, 2020)
+======================
+* buffer: fixed CVE-2020-12603 by avoiding fragmentation, and tracking of HTTP/2 data and control frames in the output buffer.
+* http: fixed CVE-2020-12604 by changing :ref:`stream_idle_timeout <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.stream_idle_timeout>`
+  to also defend against an HTTP/2 peer that does not open stream window once an entire response has been buffered to be sent to a downstream client.
+* http: fixed CVE-2020-12605 by including request URL in request header size computation, and rejecting partial headers that exceed configured limits.
+* listener: mitigated CVE-2020-8663 by adding runtime support for :ref:`per-listener limits <config_listeners_runtime>` on active/accepted connections.
+* overload management: mitigated CVE-2020-8663 by adding runtime support for :ref:`global limits <config_overload_manager>` on active/accepted connections.
 
 1.12.4 (June 8, 2020)
 =====================