diff --git a/Dockerfile b/Dockerfile
index 009bec24..1eaf1397 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -244,9 +244,11 @@ FROM ${CADDY_IMAGE}
 WORKDIR /app
 
 # Install runtime dependencies for Charon (no bash needed)
+# Explicitly upgrade c-ares to fix CVE-2025-62408
 # hadolint ignore=DL3018
 RUN apk --no-cache add ca-certificates sqlite-libs tzdata curl gettext \
-    && apk --no-cache upgrade
+    && apk --no-cache upgrade \
+    && apk --no-cache upgrade c-ares
 
 # Download MaxMind GeoLite2 Country database
 # Note: In production, users should provide their own MaxMind license key
diff --git a/go.work.sum b/go.work.sum
index 1847c2ec..308a65f8 100644
--- a/go.work.sum
+++ b/go.work.sum
@@ -43,7 +43,10 @@ github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f h1:KUppIJq7/+SVif2QVs3tOP0zanoHgBEVAwHxUSIzRqU=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/oschwald/geoip2-golang/v2 v2.0.1 h1:YcYoG/L+gmSfk7AlToTmoL0JvblNyhGC8NyVhwDzzi8=
+<<<<<<< HEAD
 github.com/oschwald/geoip2-golang/v2 v2.0.1/go.mod h1:qdVmcPgrTJ4q2eP9tHq/yldMTdp2VMr33uVdFbHBiBc=
+=======
+>>>>>>> 21d0478 (fix: upgrade c-ares to address CVE-2025-62408 and add MaxMind GeoLite2 configuration files)
 github.com/oschwald/maxminddb-golang/v2 v2.1.1 h1:lA8FH0oOrM4u7mLvowq8IT6a3Q/qEnqRzLQn9eH5ojc=
 github.com/oschwald/maxminddb-golang/v2 v2.1.1/go.mod h1:PLdx6PR+siSIoXqqy7C7r3SB3KZnhxWr1Dp6g0Hacl8=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=