diff --git a/CHANGELOG.md b/CHANGELOG.md
index 555add6ddd..6b3ca1c0eb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 ## [UNRELEASED]
 
+- Update default CodeQL bundle version to 2.20.2. [#2707](https://github.com/github/codeql-action/pull/2707)
 - Fix an issue downloading the CodeQL Bundle from a GitHub Enterprise Server instance which occurred when the CodeQL Bundle had been synced to the instance using the [CodeQL Action sync tool](https://github.com/github/codeql-action-sync-tool) and the Actions runner did not have Zstandard installed. [#2710](https://github.com/github/codeql-action/pull/2710)
 
 ## 3.28.2 - 21 Jan 2025
diff --git a/lib/defaults.json b/lib/defaults.json
index 1afbbc52d3..851fee2175 100644
--- a/lib/defaults.json
+++ b/lib/defaults.json
@@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-v2.20.1",
-    "cliVersion": "2.20.1",
-    "priorBundleVersion": "codeql-bundle-v2.20.0",
-    "priorCliVersion": "2.20.0"
+    "bundleVersion": "codeql-bundle-v2.20.2",
+    "cliVersion": "2.20.2",
+    "priorBundleVersion": "codeql-bundle-v2.20.1",
+    "priorCliVersion": "2.20.1"
 }
diff --git a/node_modules/.package-lock.json b/node_modules/.package-lock.json
index a9ab271a4b..3c008471ec 100644
--- a/node_modules/.package-lock.json
+++ b/node_modules/.package-lock.json
@@ -7568,9 +7568,10 @@
       }
     },
     "node_modules/undici": {
-      "version": "5.28.4",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.4.tgz",
-      "integrity": "sha512-72RFADWFqKmUb2hmmvNODKL3p9hcB6Gt2DOQMis1SEBaV6a4MH8soBvzg+95CYhCKPFedut2JY9bMfrDl9D23g==",
+      "version": "5.28.5",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.5.tgz",
+      "integrity": "sha512-zICwjrDrcrUE0pyyJc1I2QzBkLM8FINsgOrt6WjA+BgajVq9Nxu2PbFFXUrAggLfDXlZGZBVZYw7WNV5KiBiBA==",
+      "license": "MIT",
       "dependencies": {
         "@fastify/busboy": "^2.0.0"
       },
diff --git a/node_modules/undici/lib/fetch/body.js b/node_modules/undici/lib/fetch/body.js
index fd8481b796..4afcfdfbcd 100644
--- a/node_modules/undici/lib/fetch/body.js
+++ b/node_modules/undici/lib/fetch/body.js
@@ -22,6 +22,14 @@ const { isUint8Array, isArrayBuffer } = require('util/types')
 const { File: UndiciFile } = require('./file')
 const { parseMIMEType, serializeAMimeType } = require('./dataURL')
 
+let random
+try {
+  const crypto = require('node:crypto')
+  random = (max) => crypto.randomInt(0, max)
+} catch {
+  random = (max) => Math.floor(Math.random(max))
+}
+
 let ReadableStream = globalThis.ReadableStream
 
 /** @type {globalThis['File']} */
@@ -107,7 +115,7 @@ function extractBody (object, keepalive = false) {
     // Set source to a copy of the bytes held by object.
     source = new Uint8Array(object.buffer.slice(object.byteOffset, object.byteOffset + object.byteLength))
   } else if (util.isFormDataLike(object)) {
-    const boundary = `----formdata-undici-0${`${Math.floor(Math.random() * 1e11)}`.padStart(11, '0')}`
+    const boundary = `----formdata-undici-0${`${random(1e11)}`.padStart(11, '0')}`
     const prefix = `--${boundary}\r\nContent-Disposition: form-data`
 
     /*! formdata-polyfill. MIT License. Jimmy Wärting <https://jimmy.warting.se/opensource> */
diff --git a/node_modules/undici/package.json b/node_modules/undici/package.json
index 65a2d9833c..0c6b71e175 100644
--- a/node_modules/undici/package.json
+++ b/node_modules/undici/package.json
@@ -1,6 +1,6 @@
 {
   "name": "undici",
-  "version": "5.28.4",
+  "version": "5.28.5",
   "description": "An HTTP/1.1 client, written from scratch for Node.js",
   "homepage": "https://undici.nodejs.org",
   "bugs": {
diff --git a/package-lock.json b/package-lock.json
index f8179a025f..6ac92424bd 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -7636,9 +7636,10 @@
       }
     },
     "node_modules/undici": {
-      "version": "5.28.4",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.4.tgz",
-      "integrity": "sha512-72RFADWFqKmUb2hmmvNODKL3p9hcB6Gt2DOQMis1SEBaV6a4MH8soBvzg+95CYhCKPFedut2JY9bMfrDl9D23g==",
+      "version": "5.28.5",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.5.tgz",
+      "integrity": "sha512-zICwjrDrcrUE0pyyJc1I2QzBkLM8FINsgOrt6WjA+BgajVq9Nxu2PbFFXUrAggLfDXlZGZBVZYw7WNV5KiBiBA==",
+      "license": "MIT",
       "dependencies": {
         "@fastify/busboy": "^2.0.0"
       },
diff --git a/src/defaults.json b/src/defaults.json
index 3c3e56944a..8645754788 100644
--- a/src/defaults.json
+++ b/src/defaults.json
@@ -1,6 +1,6 @@
 {
-  "bundleVersion": "codeql-bundle-v2.20.1",
-  "cliVersion": "2.20.1",
-  "priorBundleVersion": "codeql-bundle-v2.20.0",
-  "priorCliVersion": "2.20.0"
+  "bundleVersion": "codeql-bundle-v2.20.2",
+  "cliVersion": "2.20.2",
+  "priorBundleVersion": "codeql-bundle-v2.20.1",
+  "priorCliVersion": "2.20.1"
 }