diff --git a/7-bugfix-for-CVE-2025-48989.patch b/7-bugfix-for-CVE-2025-48989.patch
new file mode 100644
index 0000000000000000000000000000000000000000..e8032577f040aacbb82b6d6c4e083a055688f3b8
--- /dev/null
+++ b/7-bugfix-for-CVE-2025-48989.patch
@@ -0,0 +1,162 @@
+commit f36b8a4eea4ce8a0bc035079e1d259d29f5eb7bf
+Author: Mark Thomas <markt@apache.org>
+Date:   Thu Jul 31 14:53:16 2025 +0100
+
+    Update the HTTP/2 overhead documentation - particularly code comments
+Origin: https://github.com/apache/tomcat/commit/f36b8a4eea4ce8a0bc035079e1d259d29f5eb7bf
+
+diff --git a/java/org/apache/coyote/http2/Http2AsyncUpgradeHandler.java b/java/org/apache/coyote/http2/Http2AsyncUpgradeHandler.java
+index e436fa6938..f2cfd339e0 100644
+--- a/java/org/apache/coyote/http2/Http2AsyncUpgradeHandler.java
++++ b/java/org/apache/coyote/http2/Http2AsyncUpgradeHandler.java
+@@ -131,6 +131,9 @@ public class Http2AsyncUpgradeHandler extends Http2UpgradeHandler {
+             log.trace(sm.getString("upgradeHandler.rst.debug", connectionId, Integer.toString(se.getStreamId()),
+                     se.getError(), se.getMessage()));
+         }
++
++        increaseOverheadCount(FrameType.RST, getProtocol().getOverheadResetFactor());
++
+         // Write a RST frame
+         byte[] rstFrame = new byte[13];
+         // Length
+diff --git a/java/org/apache/coyote/http2/Http2UpgradeHandler.java b/java/org/apache/coyote/http2/Http2UpgradeHandler.java
+index 4f5c356dea..9628f48589 100644
+--- a/java/org/apache/coyote/http2/Http2UpgradeHandler.java
++++ b/java/org/apache/coyote/http2/Http2UpgradeHandler.java
+@@ -582,6 +582,8 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+                     se.getError(), se.getMessage()));
+         }
+ 
++        increaseOverheadCount(FrameType.RST, getProtocol().getOverheadResetFactor());
++
+         // Write a RST frame
+         byte[] rstFrame = new byte[13];
+         // Length
+@@ -1411,39 +1411,59 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+ 
+ 
+     void reduceOverheadCount(FrameType frameType) {
+-        // A non-overhead frame reduces the overhead count by
+-        // Http2Protocol.DEFAULT_OVERHEAD_REDUCTION_FACTOR. A simple browser
+-        // request is likely to have one non-overhead frame (HEADERS) and one
+-        // overhead frame (REPRIORITISE). With the default settings the overhead
+-        // count will reduce by 10 for each simple request.
+-        // Requests and responses with bodies will create additional
+-        // non-overhead frames, further reducing the overhead count.
++        /*
++         * A non-overhead frame reduces the overhead count by {@code Http2Protocol.DEFAULT_OVERHEAD_REDUCTION_FACTOR}.
++         *
++         * A simple browser request is likely to have one non-overhead frame (HEADERS) that results in a response with
++         * one further non-overhead frame (DATA). With the default settings, the overhead count will reduce by 40 for
++         * each simple request.
++         *
++         * Requests and responses with bodies will create additional non-overhead frames, further reducing the overhead
++         * count.
++         */
+         updateOverheadCount(frameType, Http2Protocol.DEFAULT_OVERHEAD_REDUCTION_FACTOR);
+     }
+ 
+ 
+     @Override
+     public void increaseOverheadCount(FrameType frameType) {
+-        // An overhead frame increases the overhead count by
+-        // overheadCountFactor. By default, this means an overhead frame
+-        // increases the overhead count by 10. A simple browser request is
+-        // likely to have one non-overhead frame (HEADERS) and one overhead
+-        // frame (REPRIORITISE). With the default settings the overhead count
+-        // will reduce by 10 for each simple request.
++        /*
++         * An overhead frame (SETTINGS, PRIORITY, PING) increases the overhead count by overheadCountFactor. By default,
++         * this means an overhead frame increases the overhead count by 10.
++         *
++         * If the client ignores maxConcurrentStreams then any HEADERS frame received will also increase the overhead
++         * count by overheadCountFactor.
++         *
++         * A simple browser request should not trigger any overhead frames.
++         */
+         updateOverheadCount(frameType, getProtocol().getOverheadCountFactor());
+     }
+ 
+ 
+-    private void increaseOverheadCount(FrameType frameType, int increment) {
+-        // Overhead frames that indicate inefficient (and potentially malicious)
+-        // use of small frames trigger an increase that is inversely
+-        // proportional to size. The default threshold for all three potential
+-        // areas for abuse (HEADERS, DATA, WINDOW_UPDATE) is 1024 bytes. Frames
+-        // with sizes smaller than this will trigger an increase of
+-        // threshold/size.
+-        // DATA and WINDOW_UPDATE take an average over the last two non-final
+-        // frames to allow for client buffering schemes that can result in some
+-        // small DATA payloads.
++    /**
++     * Used to increase the overhead for frames that don't use the {@code overheadCountFactor} ({@code CONTINUATION},
++     * {@code DATA}, {@code WINDOW_UPDATE} and {@code RESET}).
++     *
++     * @param frameType The frame type triggering the overhead increase
++     * @param increment The amount by which the overhead is increased
++     */
++    protected void increaseOverheadCount(FrameType frameType, int increment) {
++        /*
++         * Three types of frame are susceptible to inefficient (and potentially malicious) use of small frames. These
++         * trigger an increase in overhead that is inversely proportional to size. The default threshold for all three
++         * potential areas for abuse (CONTINUATION, DATA, WINDOW_UPDATE) is 1024 bytes. Frames with sizes smaller than
++         * this will trigger an increase of threshold/size.
++         *
++         * The check for DATA and WINDOW_UPDATE frames takes an average over the last two frames to allow for client
++         * buffering schemes that can result in some small DATA payloads.
++         *
++         * The CONTINUATION and DATA frames checks are skipped for end of headers (CONTINUATION) and end of stream
++         * (DATA) as those frames may be small for legitimate reasons.
++         *
++         * RESET frames (received or sent) trigger an increase of overheadResetFactor.
++         *
++         * In all cases, the calling method determines the extent to which the overhead count is increased.
++         */
+         updateOverheadCount(frameType, increment);
+     }
+ 
+@@ -1652,9 +1652,9 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+             if (payloadSize < overheadThreshold) {
+                 if (payloadSize == 0) {
+                     // Avoid division by zero
+-                    increaseOverheadCount(FrameType.HEADERS, overheadThreshold);
++                    increaseOverheadCount(FrameType.CONTINUATION, overheadThreshold);
+                 } else {
+-                    increaseOverheadCount(FrameType.HEADERS, overheadThreshold / payloadSize);
++                    increaseOverheadCount(FrameType.CONTINUATION, overheadThreshold / payloadSize);
+                 }
+             }
+         }
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index df1c90b7a7..0c1588a506 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -111,6 +111,12 @@ 
+         Ensure application configured welcome files override the defaults when
+         configuring an embedded web application programmatically. (markt)
+       </fix>
++      <fix>
++        Update the HTTP/2 overhead documentation - particularly the code
++        comments - to reflect the deprecation of the <code>PRIORITY</code> frame
++        and clarify that a stream reset always triggers an overhead increase.
++        (markt)
++      </fix>
+       <fix>
+         Allow the default servlet to set the content length when the content
+         length is known, no content has been written and a <code>Writer</code>
+diff --git a/webapps/docs/config/http2.xml b/webapps/docs/config/http2.xml
+index 0a0d98cb32..b2329a4fdb 100644
+--- a/webapps/docs/config/http2.xml
++++ b/webapps/docs/config/http2.xml
+@@ -241,8 +241,9 @@ 
+     <attribute name="overheadResetFactor" required="false">
+       <p>The amount by which the overhead count (see
+       <strong>overheadCountFactor</strong>) will be increased for each reset
+-      frame received. If not specified, a default value of <code>50</code> will
+-      be used. A value of less than zero will be treated as zero.</p>
++      frame received or sent. If not specified, a default value of
++      <code>50</code> will be used. A value of less than zero will be treated as
++      zero.</p>
+     </attribute>
+ 
+     <attribute name="overheadDataThreshold" required="false">
diff --git a/tomcat.spec b/tomcat.spec
index c8e1d05a4c512199fd0e075bfde486f59abf53ec..a1cad36a9b25dd19c78cfdd2b0bf4f2bb9024a93 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -1,4 +1,4 @@
-%define anolis_release 1
+%define anolis_release 2
 
 %global jspspec 2.3
 %global major_version 9
@@ -53,6 +53,7 @@ Patch2:        %{name}-build.patch
 Patch3:        %{name}-%{major_version}.%{minor_version}-catalina-policy.patch
 Patch4:        rhbz-1857043.patch
 Patch6:        %{name}-%{major_version}.%{minor_version}-bnd-annotation.patch
+Patch7:        7-bugfix-for-CVE-2025-48989.patch
 
 BuildArch:     noarch
 
@@ -520,6 +521,9 @@ fi
 %doc {NOTICE,RELEASE*}
 
 %changelog
+* Mon Oct 20 2025 tomcruiseqi <tomcruiseqi@inspur.com> - 1:9.0.107-2
+- Fix CVE-2025-48989
+
 * Fri Jul 18 2025 zjl02254423 <zjl02254423@libaba-inc.com> -1:9.0.107-1
 - update to 9.0.107 to fix CVE-2025-52434,CVE-2025-52520,CVE-2025-53506