diff --git a/0001-tighten-check-in-check_fd_under_path.patch b/0001-tighten-check-in-check_fd_under_path.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a4685494c7458c2e64df3e724f4e4d89bcb99eb3
--- /dev/null
+++ b/0001-tighten-check-in-check_fd_under_path.patch
@@ -0,0 +1,27 @@
+From f6f92b872352e7ee29d7e91552150712437bf808 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Erik=20Sj=C3=B6lund?= <erik.sjolund@gmail.com>
+Date: Sat, 26 Aug 2023 11:18:00 +0200
+Subject: [PATCH] utils: tighten check in check_fd_under_path()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Co-authored-by: Giuseppe Scrivano <giuseppe@scrivano.org>
+Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
+---
+ src/libcrun/utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libcrun/utils.c b/src/libcrun/utils.c
+index ce0844481..1b7104a4b 100644
+--- a/src/libcrun/utils.c
++++ b/src/libcrun/utils.c
+@@ -333,7 +333,7 @@ check_fd_under_path (const char *rootfs, size_t rootfslen, int fd, const char *f
+   if (UNLIKELY (ret < 0))
+     return crun_make_error (err, errno, "readlink `%s`", fdname);
+ 
+-  if (((size_t) ret) <= rootfslen || memcmp (link, rootfs, rootfslen) != 0)
++  if (((size_t) ret) <= rootfslen || memcmp (link, rootfs, rootfslen) != 0 || link[rootfslen] != '/')
+     return crun_make_error (err, 0, "target `%s` not under the directory `%s`", fdname, rootfs);
+ 
+   return 0;
diff --git a/0002-CVE-2025-24965.patch b/0002-CVE-2025-24965.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b15c78eea935aba487e833d2ac4d154cdb590cae
--- /dev/null
+++ b/0002-CVE-2025-24965.patch
@@ -0,0 +1,41 @@
+From b79b4ba532316faa0b4147bc4edb5e6f14f5f18d Mon Sep 17 00:00:00 2001
+From: zhihang <zhihang161013@outlook.com>
+Date: Fri, 7 Mar 2025 02:22:00 +0000
+Subject: [PATCH] CVE-2025-24965
+
+Signed-off-by: zhihang <zhihang161013@outlook.com>
+---
+ src/libcrun/handlers/krun.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/libcrun/handlers/krun.c b/src/libcrun/handlers/krun.c
+index 0342a33..2437967 100644
+--- a/src/libcrun/handlers/krun.c
++++ b/src/libcrun/handlers/krun.c
+@@ -43,6 +43,8 @@
+ /* libkrun has a hard-limit of 8 vCPUs per microVM. */
+ #define LIBKRUN_MAX_VCPUS 8
+ 
++#define KRUN_CONFIG_FILE ".krun_config.json"
++
+ struct krun_config
+ {
+   void *handle;
+@@ -207,7 +209,13 @@ libkrun_configure_container (void *cookie, enum handler_configure_phase phase,
+       if (UNLIKELY (ret < 0))
+         return ret;
+ 
+-      ret = write_file_at (rootfsfd, ".krun_config.json", config, config_size, err);
++      /* CVE-2025-24965: the content below rootfs cannot be trusted because it is controlled by the user.  We
++         must ensure the file is opened below the rootfs directory.  */
++      fd = safe_openat (rootfsfd, rootfs, KRUN_CONFIG_FILE, WRITE_FILE_DEFAULT_FLAGS | O_NOFOLLOW, 0700, err);
++      if (UNLIKELY (fd < 0))
++        return fd;
++
++      ret = safe_write (fd, KRUN_CONFIG_FILE, config, config_size, err);
+       if (UNLIKELY (ret < 0))
+         return ret;
+     }
+-- 
+2.43.0
+
diff --git a/crun-1.8.1.tar.xz b/crun-1.8.1.tar.xz
deleted file mode 100644
index 8a601eec8534db53c7fb9a68cbd44ec7640faaaa..0000000000000000000000000000000000000000
Binary files a/crun-1.8.1.tar.xz and /dev/null differ
diff --git a/crun-1.8.7.tar.xz b/crun-1.8.7.tar.xz
new file mode 100644
index 0000000000000000000000000000000000000000..d551438017837d755ca9fd65d61218513ccc15d9
Binary files /dev/null and b/crun-1.8.7.tar.xz differ
diff --git a/crun.spec b/crun.spec
index 659e713d1808f1821a00b85223f3f8f72ed683d2..265153d0dfb7590ba83bb7ce5a07325bc39039c8 100644
--- a/crun.spec
+++ b/crun.spec
@@ -1,16 +1,32 @@
 Name:            crun
-Version:         1.8.1
-Release:         1
+Version:         1.8.7
+Release:         4
 Summary:         A fast and low-memory footprint OCI Container Runtime fully written in C.
 URL:             https://github.com/containers/%{name}
+
+Patch1:          0001-tighten-check-in-check_fd_under_path.patch
+Patch2:          0002-CVE-2025-24965.patch
+
 Source0:         https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.xz
-License:         GPLv2+ and LGPLv2.1+
-BuildRequires:   autoconf automake gcc python
-BuildRequires:   libcap-devel systemd-devel yajl-devel libseccomp-devel libselinux-devel
-BuildRequires:   libtool make glibc-static protobuf-c-devel
-%ifnarch %ix86
-BuildRequires: criu-devel >= 3.15
+License:         GPL-2.0-only
+BuildRequires:   autoconf
+BuildRequires:   automake
+BuildRequires:   gcc
+BuildRequires:   git-core
+BuildRequires:   gperf
+BuildRequires:   libcap-devel
+BuildRequires:   systemd-devel
+BuildRequires:   yajl-devel
+BuildRequires:   libseccomp-devel
+BuildRequires:   python3-libmount
+BuildRequires:   libtool
+BuildRequires:   protobuf-c-devel
+%ifnarch riscv64
+BuildRequires:   criu-devel
+Recommends:      criu
+Recommends:      criu-libs
 %endif
+BuildRequires:   python3
 Provides:        oci-runtime
 
 %description
@@ -42,6 +58,25 @@ rm -rf %{buildroot}%{_prefix}/lib*
 %{_mandir}/man1/*
 
 %changelog
+* Fri Mar 7 2025 zhihang <zhihang161013@outlook.com> - 1.8.7-4
+- Fix CVE-2025-24965
+
+* Fri Jul 19 2024 zhangxingrong-<zhangxingrong@uniontech.cn> - 1.8.7-3
+- utils: tighten check in check_fd_under_path()
+
+* Sun Apr 28 2024 yinsist <jianhui.oerv@isrc.iscas.ac.cn> - 1.8.7-2
+- Disable criu dependency for RISC-V as criu does not currently support RISC-V
+
+* Thu Apr 25 2024 lijian <lijian2@kylinos.cn> - 1.8.7-1
+- update to 1.8.7
+- crun: new command "crun features".
+- linux: support io_priority from the OCI specs.
+- cgroup: allow setting swap to 0.
+- cgroup, systemd: set the memory limit on the system scope.
+
+* Wed Apr 17 2024 huayumeng <huayumeng@kylinos.cn> - 1.8.1-2
+- readonlyPaths should inherit flags from parent mount
+
 * Wed May 10 2023 zmr_2020 <zhang_jian7@hoperun.com> - 1.8.1-1
 - update to 1.8.1