diff --git a/libxml2-2.9.7-CVE-2024-25062.patch b/libxml2-2.9.7-CVE-2024-25062.patch
new file mode 100644
index 0000000000000000000000000000000000000000..936004dc79b6ef4c3569d4ead647244bfe7cade4
--- /dev/null
+++ b/libxml2-2.9.7-CVE-2024-25062.patch
@@ -0,0 +1,29 @@
+From b9d4ab2fd6b7da380edab777a0414ef254804f0d Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 14 Oct 2023 22:45:54 +0200
+Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when
+ backtracking
+
+Fixes a use-after-free if XML Reader if used with DTD validation and
+XInclude expansion.
+
+Fixes #604.
+---
+ xmlreader.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/xmlreader.c b/xmlreader.c
+index 34c4c6bc..8f2f9131 100644
+--- a/xmlreader.c
++++ b/xmlreader.c
+@@ -1511,6 +1511,7 @@ node_found:
+      * Handle XInclude if asked for
+      */
+     if ((reader->xinclude) && (reader->node != NULL) &&
++        (reader->state != XML_TEXTREADER_BACKTRACK) &&
+ 	(reader->node->type == XML_ELEMENT_NODE) &&
+ 	(reader->node->ns != NULL) &&
+ 	((xmlStrEqual(reader->node->ns->href, XINCLUDE_NS)) ||
+-- 
+2.44.0
+
diff --git a/libxml2.spec b/libxml2.spec
index ca8539b0ef6e7998fac78189b96e254ca9fe0144..5266c528e1e21c093abe57c516dfb060f491830c 100644
--- a/libxml2.spec
+++ b/libxml2.spec
@@ -1,4 +1,4 @@
-%define anolis_release .0.2
+%define anolis_release .0.3
 
 %if 0%{?rhel} > 7
 # Disable python2 build by default
@@ -65,6 +65,9 @@ Patch22:        libxml2-2.9.7-CVE-2023-29469.patch
 # https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9
 Patch23:        libxml2-2.9.7-CVE-2023-39615.patch
 
+# upstream fix:https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a66b176055d25ee635bf328c7b35b381db0b71d
+Patch24:        libxml2-2.9.7-CVE-2024-25062.patch
+
 # Add by Anolis
 Patch1000:	0001-modify-home-page.patch
 # End
@@ -239,6 +242,9 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
 %{python3_sitearch}/libxml2mod.so
 
 %changelog
+* Fri Jun 07 2024 Kai Song <songkai01@inspur.com> - 2.9.7-18.0.3
+- Fix CVE-2024-25062
+
 * Tue Dec 05 2023 Bo Liu <liubo03@inspur.com> - 2.9.7-18.0.2
 - Fix CVE-2023-39615