Hi Michael,
Mbed TLS 2.25 has many known bugs, including security vulnerabilities. You can find them listed in the changelog at https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-2.28/ChangeLog
Those bugs are fixed in the backward-compatible branch mbedtls-2.28, which is still receiving patches for now. However, the end-of-life of this branch is this month. (I expect we'll make one last release with bug fixes that we haven't released yet.) So it's not worth upgrading to 2.28 at this point, and you should move directly to mbedtls-3.6 (long-time support branch maintained until at least March 2027).
You can find a guide to the incompatible changes between Mbed TLS 2.x and 3.x at https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-3.6/docs/3.0-migration-guid... . In addition, the Mbed TLS 3.6 branch is the last one that has mbedtls_xxx legacy APIs for cryptography: starting with Mbed TLS 4.0, only PSA APIs will be available for cryptography. In 3.6, both APIs are present. So if you're going to do a nontrivial migration, you might as well migrate to something that can then work in 4.x. You can find a guide to migrating to PSA crypto APIs in https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-3.6/docs/psa-transition.md
Best regards,