diff --git a/0017-fix-CVE-2025-4123.patch b/0017-fix-CVE-2025-4123.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1c8ce33b0751026025678b76af5dd7428748cd7f
--- /dev/null
+++ b/0017-fix-CVE-2025-4123.patch
@@ -0,0 +1,39 @@
+From 9900159635d616f01fb1be98ef94145637d06d07 Mon Sep 17 00:00:00 2001
+From: Sam Feifer <sfeifer@redhat.com>
+Date: Tue, 13 May 2025 11:33:22 -0400
+Subject: [PATCH] fix CVE-2025-4123
+
+---
+ conf/defaults.ini | 2 +-
+ conf/sample.ini   | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/conf/defaults.ini b/conf/defaults.ini
+index 2d6e1235b60..cf1ce8a962f 100644
+--- a/conf/defaults.ini
++++ b/conf/defaults.ini
+@@ -310,7 +310,7 @@ x_xss_protection = true
+ 
+ # Enable adding the Content-Security-Policy header to your requests.
+ # CSP allows to control resources the user agent is allowed to load and helps prevent XSS attacks.
+-content_security_policy = false
++content_security_policy = true
+ 
+ # Set Content Security Policy template used when adding the Content-Security-Policy header to your requests.
+ # $NONCE in the template includes a random nonce.
+diff --git a/conf/sample.ini b/conf/sample.ini
+index 227c90e895d..19afa036b9b 100644
+--- a/conf/sample.ini
++++ b/conf/sample.ini
+@@ -310,7 +310,7 @@
+ 
+ # Enable adding the Content-Security-Policy header to your requests.
+ # CSP allows to control resources the user agent is allowed to load and helps prevent XSS attacks.
+-;content_security_policy = false
++;content_security_policy = true
+ 
+ # Set Content Security Policy template used when adding the Content-Security-Policy header to your requests.
+ # $NONCE in the template includes a random nonce.
+-- 
+2.49.0
+
diff --git a/grafana.spec b/grafana.spec
index 9e2c7f30cdc2b76aeacff9a2eeacb66547ab923d..30ec0c74367f5a8aafd614fd74344dd5c59d106e 100644
--- a/grafana.spec
+++ b/grafana.spec
@@ -36,7 +36,7 @@ end}
 
 Name:             grafana
 Version:          9.2.10
-Release:          22%{anolis_release}%{?dist}
+Release:          23%{anolis_release}%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPLv3
 URL:              https://grafana.org
@@ -98,6 +98,7 @@ Patch13:          0013-snapshot-delete-check-org.patch
 Patch14:          0014-resolve-dompurify-CVE.patch
 Patch15:          0015-update-go-git-version.patch
 Patch16:          0016-fix-macaron-version-error.patch
+Patch17:          0017-fix-CVE-2025-4123.patch
 
 # Patches affecting the vendor tarball
 Patch1001:        1001-vendor-patch-removed-backend-crypto.patch
@@ -780,6 +781,7 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
 %patch -P 14 -p1
 %patch -P 15 -p1
 %patch -P 16 -p1
+%patch -P 17 -p1
 
 %patch -P 1001 -p1
 %if %{enable_fips_mode}
@@ -1034,10 +1036,13 @@ fi
 %{_datadir}/selinux/*/grafana.pp
 
 %changelog
-* Thu Mar 20 2025 Liwei Ge <geliwei@openanolis.com> 9.2.10-22.0.1
+* Tue May 20 2025 Liwei Ge <geliwei@openanolis.com> 9.2.10-23.0.1
 - Use cn proxy for go build
 - Support loongarch build
 
+* Tue May 13 2025 Sam Feifer <sfeifer@redhat.com> 9.2.10-23
+- Resolves RHEL-89949: CVE-2025-4123
+
 * Wed Feb 5 2025 Sam Feifer <sfeifer@redhat.com> 9.2.10-22
 - Resolves RHEL-75921: grafana selinux issue with autofs_t