diff --git a/0003-fix-CVE-2024-49766.patch b/0003-fix-CVE-2024-49766.patch
new file mode 100644
index 0000000000000000000000000000000000000000..fd8cdb825a816d9c78d7f2d537bc8bc31cb761a7
--- /dev/null
+++ b/0003-fix-CVE-2024-49766.patch
@@ -0,0 +1,102 @@
+From 87cc78a25f782f8c59fbde786840a00cf0d09b3d Mon Sep 17 00:00:00 2001
+From: David Lord <davidism@gmail.com>
+Date: Fri, 25 Oct 2024 09:56:15 -0700
+Subject: [PATCH] catch special absolute path on Windows Python < 3.11
+
+---
+ CHANGES.rst              | 33 +++++++++++++++++++++++++++++++++
+ src/werkzeug/security.py |  2 ++
+ tests/test_security.py   | 17 +++++++++++------
+ 3 files changed, 46 insertions(+), 6 deletions(-)
+
+diff --git a/CHANGES.rst b/CHANGES.rst
+index 6f801b9..99c67ff 100644
+--- a/CHANGES.rst
++++ b/CHANGES.rst
+@@ -1,4 +1,37 @@
+ .. currentmodule:: werkzeug
++Version 3.0.3
++-------------
++
++Unreleased
++
++-   Only allow ``localhost``, ``.localhost``, ``127.0.0.1``, or the specified
++    hostname when running the dev server, to make debugger requests. Additional
++    hosts can be added by using the debugger middleware directly. The debugger
++    UI makes requests using the full URL rather than only the path.
++    :ghsa:`2g68-c3qc-8985`
++-   Make reloader more robust when ``""`` is in ``sys.path``. :pr:`2823`
++-   Better TLS cert format with ``adhoc`` dev certs. :pr:`2891`
++-   Inform Python < 3.12 how to handle ``itms-services`` URIs correctly, rather
++    than using an overly-broad workaround in Werkzeug that caused some redirect
++    URIs to be passed on without encoding. :issue:`2828`
++-   Type annotation for ``Rule.endpoint`` and other uses of ``endpoint`` is
++    ``Any``. :issue:`2836`
++
++
++Version 3.0.2
++-------------
++
++Released 2024-04-01
++
++-   Ensure setting ``merge_slashes`` to ``False`` results in ``NotFound`` for
++    repeated-slash requests against single slash routes. :issue:`2834`
++-   Fix handling of ``TypeError`` in ``TypeConversionDict.get()`` to match
++    ``ValueError``. :issue:`2843`
++-   Fix ``response_wrapper`` type check in test client. :issue:`2831`
++-   Make the return type of ``MultiPartParser.parse`` more precise.
++    :issue:`2840`
++-   Raise an error if converter arguments cannot be parsed. :issue:`2822`
++
+ 
+ Version 3.0.1
+ -------------
+diff --git a/src/werkzeug/security.py b/src/werkzeug/security.py
+index 578caf7..96d9136 100644
+--- a/src/werkzeug/security.py
++++ b/src/werkzeug/security.py
+@@ -147,6 +147,8 @@ def safe_join(directory: str, *pathnames: str) -> str | None:
+         if (
+             any(sep in filename for sep in _os_alt_seps)
+             or os.path.isabs(filename)
++            # ntpath.isabs doesn't catch this on Python < 3.11
++            or filename.startswith("/")
+             or filename == ".."
+             or filename.startswith("../")
+         ):
+diff --git a/tests/test_security.py b/tests/test_security.py
+index 6fad089..3ce741a 100644
+--- a/tests/test_security.py
++++ b/tests/test_security.py
+@@ -1,5 +1,4 @@
+ import os
+-import posixpath
+ import sys
+ 
+ import pytest
+@@ -47,11 +46,17 @@ def test_invalid_method():
+         generate_password_hash("secret", "sha256")
+ 
+ 
+-def test_safe_join():
+-    assert safe_join("foo", "bar/baz") == posixpath.join("foo", "bar/baz")
+-    assert safe_join("foo", "../bar/baz") is None
+-    if os.name == "nt":
+-        assert safe_join("foo", "foo\\bar") is None
++@pytest.mark.parametrize(
++    ("path", "expect"),
++    [
++        ("b/c", "a/b/c"),
++        ("../b/c", None),
++        ("b\\c", None if os.name == "nt" else "a/b\\c"),
++        ("//b/c", None),
++    ],
++)
++def test_safe_join(path, expect):
++    assert safe_join("a", path) == expect
+ 
+ 
+ def test_safe_join_os_sep():
+-- 
+2.39.3
+
diff --git a/python-werkzeug.spec b/python-werkzeug.spec
index d0b696c8dabb0e67ed3fbcdac20bb099f6809e67..721b2f9d3813f1da177423d40daac9b5aef5e599 100644
--- a/python-werkzeug.spec
+++ b/python-werkzeug.spec
@@ -1,4 +1,4 @@
-%define anolis_release 3
+%define anolis_release 4
 
 %global srcname Werkzeug
 %global modname werkzeug
@@ -19,6 +19,7 @@ Source0:        https://github.com/pallets/werkzeug/releases/download/%{version}
 # Upstream: https://github.com/pallets/werkzeug/pull/2172
 Patch0:         0001-preserve-any-existing-PYTHONPATH-in-tests.patch
 Patch1:	        0002-python-werkzeug-fix-CVE-2024-34069.patch
+Patch2:         0003-fix-CVE-2024-49766.patch
 
 BuildArch:      noarch
 
@@ -102,6 +103,9 @@ find examples/ -type f -name '*.png' -executable -print -exec chmod -x "{}" +
 %doc CHANGES.rst README.rst
 
 %changelog
+* Sat May 10 2025 yangjinlin01 <yangjinlin01@inspur.com> - 3.0.1-4
+- fix CVE-2024-49766
+
 * Mon Jul 08 2024 dash <dash@nfschina.com> - 3.0.1-3
 - fix CVE-2024-34069