diff --git a/1001-add-patch-to-fix-CVE-2025-58185-and-CVE-2025-61723.patch b/1001-add-patch-to-fix-CVE-2025-58185-and-CVE-2025-61723.patch
new file mode 100644
index 0000000000000000000000000000000000000000..38399d7a92eb3bf2c9e3d361b8f3c5b360ade8b7
--- /dev/null
+++ b/1001-add-patch-to-fix-CVE-2025-58185-and-CVE-2025-61723.patch
@@ -0,0 +1,115 @@
+From ea47462fc718a426b369e4c86c197e618f1ade86 Mon Sep 17 00:00:00 2001
+From: lzq11122 <lzq02303433@alibaba-inc.com>
+Date: Fri, 14 Nov 2025 11:22:21 +0800
+Subject: [PATCH 1/1] add patch to fix CVE-2025-58185 and CVE-2025-61723
+
+---
+ src/encoding/asn1/asn1.go      | 10 ++++++++-
+ src/encoding/asn1/asn1_test.go | 38 ++++++++++++++++++++++++++++++++++
+ src/go/build/deps_test.go      |  2 +-
+ 3 files changed, 48 insertions(+), 2 deletions(-)
+
+diff --git a/src/encoding/asn1/asn1.go b/src/encoding/asn1/asn1.go
+index 488fb9b..e1f4cba 100644
+--- a/src/encoding/asn1/asn1.go
++++ b/src/encoding/asn1/asn1.go
+@@ -22,6 +22,7 @@ package asn1
+ import (
+ 	"errors"
+ 	"fmt"
++	"internal/saferio"
+ 	"math"
+ 	"math/big"
+ 	"reflect"
+@@ -635,10 +636,17 @@ func parseSequenceOf(bytes []byte, sliceType reflect.Type, elemType reflect.Type
+ 		offset += t.length
+ 		numElements++
+ 	}
+-	ret = reflect.MakeSlice(sliceType, numElements, numElements)
++	elemSize := uint64(elemType.Size())
++	safeCap := saferio.SliceCapWithSize(elemSize, uint64(numElements))
++	if safeCap < 0 {
++		err = SyntaxError{fmt.Sprintf("%s slice too big: %d elements of %d bytes", elemType.Kind(), numElements, elemSize)}
++		return
++	}
++	ret = reflect.MakeSlice(sliceType, 0, safeCap)
+ 	params := fieldParameters{}
+ 	offset := 0
+ 	for i := 0; i < numElements; i++ {
++		ret = reflect.Append(ret, reflect.Zero(elemType))
+ 		offset, err = parseField(ret.Index(i), bytes, offset, params)
+ 		if err != nil {
+ 			return
+diff --git a/src/encoding/asn1/asn1_test.go b/src/encoding/asn1/asn1_test.go
+index 9a605e2..249d4e4 100644
+--- a/src/encoding/asn1/asn1_test.go
++++ b/src/encoding/asn1/asn1_test.go
+@@ -7,10 +7,12 @@ package asn1
+ import (
+ 	"bytes"
+ 	"encoding/hex"
++	"errors"
+ 	"fmt"
+ 	"math"
+ 	"math/big"
+ 	"reflect"
++	"runtime"
+ 	"strings"
+ 	"testing"
+ 	"time"
+@@ -1175,3 +1177,39 @@ func BenchmarkObjectIdentifierString(b *testing.B) {
+ 		_ = oidPublicKeyRSA.String()
+ 	}
+ }
++
++func TestParsingMemoryConsumption(t *testing.T) {
++	// Craft a syntatically valid, but empty, ~10 MB DER bomb. A successful
++	// unmarshal of this bomb should yield ~280 MB. However, the parsing should
++	// fail due to the empty content; and, in such cases, we want to make sure
++	// that we do not unnecessarily allocate memories.
++	derBomb := make([]byte, 10_000_000)
++	for i := range derBomb {
++		derBomb[i] = 0x30
++	}
++	derBomb = append([]byte{0x30, 0x83, 0x98, 0x96, 0x80}, derBomb...)
++
++	var m runtime.MemStats
++	runtime.GC()
++	runtime.ReadMemStats(&m)
++	memBefore := m.TotalAlloc
++
++	var out []struct {
++		Id       []int
++		Critical bool `asn1:"optional"`
++		Value    []byte
++	}
++	_, err := Unmarshal(derBomb, &out)
++	if !errors.As(err, &SyntaxError{}) {
++		t.Fatalf("Incorrect error result: want (%v), but got (%v) instead", &SyntaxError{}, err)
++	}
++
++	runtime.ReadMemStats(&m)
++	memDiff := m.TotalAlloc - memBefore
++
++	// Ensure that the memory allocated does not exceed 10<<21 (~20 MB) when
++	// the parsing fails.
++	if memDiff > 10<<21 {
++		t.Errorf("Too much memory allocated while parsing DER: %v MiB", memDiff/1024/1024)
++	}
++}
+diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
+index e3e0107..2a1606e 100644
+--- a/src/go/build/deps_test.go
++++ b/src/go/build/deps_test.go
+@@ -533,7 +533,7 @@ var depsRules = `
+ 
+ 	# CRYPTO-MATH is crypto that exposes math/big APIs - no cgo, net; fmt now ok.
+ 
+-	CRYPTO, FMT, math/big
++	CRYPTO, FMT, math/big, internal/saferio
+ 	< crypto/internal/boring/bbig
+ 	< crypto/rand
+ 	< crypto/ed25519 # depends on crypto/rand.Reader
+-- 
+2.43.5
+
diff --git a/golang.spec b/golang.spec
index 568e7799e043defd3c554bda23514588e0afc62f..a0a2c2278609511639ad4c8d87532cd85b89071a 100644
--- a/golang.spec
+++ b/golang.spec
@@ -1,4 +1,4 @@
-%define anolis_release 11
+%define anolis_release 12
 
 # Disable debuginfo packages
 %global debug_package %{nil}
@@ -134,6 +134,8 @@ Patch47:         0047-Fix-CVE-2025-47906.patch
 Patch48:         0048-Fix-CVE-2025-22870.patch
 # https://github.com/golang/go/commit/2e1e356e33b9c792a9643749a7626a1789197bb9
 Patch49:         0049-Fix-CVE-2025-58189.patch
+# https://github.com/golang/go/commit/5c3d61c886f7ecfce9a6d6d3c97e6d5a8afb17d1
+Patch50:         1001-add-patch-to-fix-CVE-2025-58185-and-CVE-2025-61723.patch
 
 # The compiler is written in Go. Needs go(1.4+) compiler for build.
 %if %{with bootstrap}
@@ -518,6 +520,10 @@ export GOROOT=$(pwd -P)
 export PATH="$GOROOT"/bin:"$PATH"
 cd src
 
+if [ -d "/tmp/go-tool-dist-*" ]; then
+    rm -rf /tmp/go-tool-dist-*
+fi
+
 export CC="gcc"
 export CFLAGS="$RPM_OPT_FLAGS"
 export LDFLAGS="$RPM_LD_FLAGS"
@@ -611,6 +617,9 @@ fi
 %files docs -f go-docs.list
 
 %changelog
+* Fri Nov 14 2025 lzq11122 <lzq02303433@alibaba-inc.com> - 1.24.0-12
+- Add patch to fix CVE-2025-58185 and CVE-2025-61723
+
 * Mon Nov 3 2025 wh02252983 <wh02252983@alibaba-inc.com> - 1.24.0-11
 - add patch to fix CVE-2025-58189