diff --git a/efs-utils.yaml b/efs-utils.yaml
index d1e1bc89d4a..7cd4fe05a1e 100644
--- a/efs-utils.yaml
+++ b/efs-utils.yaml
@@ -1,7 +1,7 @@
 package:
   name: efs-utils
   version: "2.3.3"
-  epoch: 0
+  epoch: 1 # GHSA-qx2v-8332-m4fv
   description: Utilities for Amazon Elastic File System (EFS)
   copyright:
     - license: MIT
@@ -43,7 +43,7 @@ pipeline:
 
   - uses: patch
     with:
-      patches: GHSA-857q-xmph-p2v5.patch
+      patches: cve-patches.patch
 
   - runs: |
       # This looks a little funny, but it aims to be easier to maintain, so we just
@@ -111,7 +111,7 @@ subpackages:
         pipeline:
           - uses: patch
             with:
-              patches: ../GHSA-857q-xmph-p2v5.patch
+              patches: ../cve-patches.patch
           - runs: |
               # This looks a little funny, but it aims to be easier to maintain, so we just
               # copy from the upstream `build-deb.sh` script the bits we need.
diff --git a/efs-utils/GHSA-857q-xmph-p2v5.patch b/efs-utils/GHSA-857q-xmph-p2v5.patch
deleted file mode 100644
index 931636d61c7..00000000000
--- a/efs-utils/GHSA-857q-xmph-p2v5.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Fix CVE: GHSA-857q-xmph-p2v5, GHSA-52xf-5p2m-9wrv
-diff --git a/src/proxy/Cargo.toml b/src/proxy/Cargo.toml
-index 0a6d0ad..1d92f38 100644
---- a/src/proxy/Cargo.toml
-+++ b/src/proxy/Cargo.toml
-@@ -19,9 +19,9 @@ log4rs = { version = "0", features = ["rolling_file_appender", "compound_policy"
- nix = { version = "0.26.2", features = ["signal"]}
- onc-rpc = "0.2.3"
- rand = "0.8.5"
--s2n-tls = "0.0"
--s2n-tls-tokio = "0.0"
--s2n-tls-sys = "0.0"
-+s2n-tls = "0.3.0"
-+s2n-tls-tokio = "0.3.0"
-+s2n-tls-sys = "0.3.0"
- serde = {version="1.0.175",features=["derive"]}
- serde_ini = "0.2.0"
- thiserror = "1.0.44"
diff --git a/efs-utils/cve-patches.patch b/efs-utils/cve-patches.patch
new file mode 100644
index 00000000000..0ffdc6b7302
--- /dev/null
+++ b/efs-utils/cve-patches.patch
@@ -0,0 +1,33 @@
+From 1553b07a5acf8584b7fda3efacdaa780dcb3ee20 Mon Sep 17 00:00:00 2001
+From: David Negreira <david.negreira@chainguard.dev>
+Date: Thu, 14 Aug 2025 09:35:16 +0000
+Subject: [PATCH] fix GHSA-857q-xmph-p2v5, GHSA-52xf-5p2m-9wrv,
+ GHSA-qx2v-8332-m4fv
+
+---
+ src/proxy/Cargo.toml | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/proxy/Cargo.toml b/src/proxy/Cargo.toml
+index 24ecbab..9dde427 100644
+--- a/src/proxy/Cargo.toml
++++ b/src/proxy/Cargo.toml
+@@ -20,11 +20,12 @@ log4rs = { version = "1.2.0", features = ["rolling_file_appender", "compound_pol
+ nix = { version = "0.26.2", features = ["signal"]}
+ onc-rpc = "0.2.3"
+ rand = "0.8.5"
+-s2n-tls = "0.0"
+-s2n-tls-tokio = "0.0"
+-s2n-tls-sys = "0.0"
++s2n-tls = "0.3.0"
++s2n-tls-tokio = "0.3.0"
++s2n-tls-sys = "0.3.0"
+ serde = {version="1.0.175",features=["derive"]}
+ serde_ini = "0.2.0"
++slab = "0.4.11"
+ thiserror = "1.0.44"
+ tokio = { version = "1.29.0, <1.39", features = ["full"] }
+ tokio-util = "0.7.8"
+-- 
+2.47.2
+