diff --git a/CVE-2022-37797.patch b/CVE-2022-37797.patch
new file mode 100644
index 0000000000000000000000000000000000000000..4c5f6d1cf8b21804e259ff28f644af74ff4e98c6
--- /dev/null
+++ b/CVE-2022-37797.patch
@@ -0,0 +1,31 @@
+From 0c44d8db340ee9db0173ea8aede073707d5ffcfc Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Tue, 13 Sep 2022 06:47:48 +0000
+Subject: [PATCH] [mod_wstunnel] fix crash with bad hybivers (fixes #3165)
+
+x-ref:
+  "mod_wstunnel null pointer dereference"
+  https://redmine.lighttpd.net/issues/3165
+---
+ src/mod_wstunnel.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c
+index 6843ace..fff2ca9 100644
+--- a/src/mod_wstunnel.c
++++ b/src/mod_wstunnel.c
+@@ -506,7 +506,10 @@ static handler_t wstunnel_handler_setup (server *srv, connection *con, plugin_da
+     hctx->srv = srv; /*(for mod_wstunnel module-specific DEBUG_LOG() macro)*/
+     hctx->conf = p->conf; /*(copies struct)*/
+     hybivers = wstunnel_check_request(con, hctx);
+-    if (hybivers < 0) return HANDLER_FINISHED;
++    if (hybivers < 0) {
++        r->handler_module = NULL;
++        return HANDLER_FINISHED;
++    }
+     hctx->hybivers = hybivers;
+     if (0 == hybivers) {
+         DEBUG_LOG(MOD_WEBSOCKET_LOG_INFO,"s","WebSocket Version = hybi-00");
+-- 
+2.33.0
+
diff --git a/lighttpd.spec b/lighttpd.spec
index 65afeed7035c5ebc90159e5c2b465c8fc2998717..10b4fdf894babdb0a1b8ea23b32f21da880f2c96 100644
--- a/lighttpd.spec
+++ b/lighttpd.spec
@@ -20,7 +20,7 @@
 Summary:             Lightning fast webserver with light system requirements
 Name:                lighttpd
 Version:             1.4.53
-Release:             2
+Release:             3
 License:             BSD-3-Clause and OML and GPLv3 and GPLv2
 URL:                 https://github.com/lighttpd/lighttpd1.4
 Source0:             https://github.com/lighttpd/lighttpd1.4/archive/lighttpd-1.4.53.tar.gz
@@ -30,6 +30,7 @@ Source3:             lighttpd.init
 Source4:             lighttpd.service
 Patch0:              lighttpd-1.4.45-defaultconf.patch
 Patch1:              CVE-2022-22707.patch
+Patch2:              CVE-2022-37797.patch
 Requires:            %{name}-filesystem
 %if %{with systemd}
 Requires(post):      systemd
@@ -108,6 +109,7 @@ for the directories.
 %setup -q -n lighttpd1.4-%{name}-%{version}
 %patch0 -p0 -b .defaultconf
 %patch1 -p1
+%patch2 -p1
 
 %build
 autoreconf -if
@@ -254,6 +256,9 @@ fi
 %attr(0700, lighttpd, lighttpd) %dir %{webroot}/
 
 %changelog
+* Tue Sep 13 2022 cenhuilin <cenhuilin@kylinos.cn> - 1.4.53-3
+- Fix CVE-2022-37797
+
 * Fri Jan 14 2022 yaoxin <yaoxin30@huawei.com> - 1.4.53-2
 - Fix CVE-2022-22707