diff --git a/0008-add-secure-compile-sp-and-fs-in-CMakeLists.patch b/0008-add-secure-compile-sp-and-fs-in-CMakeLists.patch
new file mode 100644
index 0000000000000000000000000000000000000000..16a876e956d2f9535c60335f8b8ca638a0ae15f5
--- /dev/null
+++ b/0008-add-secure-compile-sp-and-fs-in-CMakeLists.patch
@@ -0,0 +1,25 @@
+From 7150db5cdffb7da21796b581ccea08f6f5646eae Mon Sep 17 00:00:00 2001
+From: dongyuzhen <dongyuzhen@h-partners.com>
+Date: Tue, 1 Jul 2025 12:01:44 +0800
+Subject: [PATCH] add secure compile sp and fs in CMakeLists
+
+---
+ CMakeLists.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 0b169f3..3417db8 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -2,7 +2,7 @@
+ # to 3.26.
+ cmake_minimum_required(VERSION 3.10...3.26)
+ 
+-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wl,-z,now -fstack-check -fPIE")
++set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wl,-z,now -fstack-check -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2")
+ set(CMAKE_EXE_LINKER_FLAGS "-pie")
+ if (ENABLE_CONVERAGE)
+   set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fprofile-arcs -ftest-coverage")
+-- 
+2.43.0
+
diff --git a/protobuf.spec b/protobuf.spec
index 94392b2c5b6191abcebda3fd5a289f5843b3102d..acb76ff195e26868992b6c8ace13ade1104e09b5 100644
--- a/protobuf.spec
+++ b/protobuf.spec
@@ -15,7 +15,7 @@
 Summary:        Protocol Buffers - Google's data interchange format
 Name:           protobuf
 Version:        25.1
-Release:        12
+Release:        13
 License:        BSD-3-Clause
 URL:            https://github.com/protocolbuffers/protobuf
 Source:         https://github.com/protocolbuffers/protobuf/releases/download/v%{version}%{?rcver}/%{name}-all-%{version}%{?rcver}.tar.gz
@@ -29,6 +29,7 @@ Patch9003:      0004-backport-CVE-2024-7254-1.patch
 Patch9004:      0005-backport-CVE-2024-7254-2.patch
 Patch9005:      0006-fix-CVE-2025-4565-1.patch 
 Patch9006:      0007-fix-CVE-2025-4565-2.patch 
+Patch9007:      0008-add-secure-compile-sp-and-fs-in-CMakeLists.patch
 
 BuildRequires:  cmake gcc-c++ emacs zlib-devel gmock-devel gtest-devel jsoncpp-devel
 BuildRequires:  fdupes pkgconfig python-rpm-macros pkgconfig(zlib) ninja-build
@@ -399,6 +400,12 @@ install -p -m 0644 %{SOURCE1} %{buildroot}%{_emacs_sitestartdir}
 %endif
 
 %changelog
+* Tue Jul 01 2025 dongyuzhen <dongyuzhen@h-partners.com> - 25.1-13
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC: add secure compile sp and fs in CMakeLists
+
 * Thu June 26 2025 zhongtao <zhongtao17@huawei.com> - 25.1-12
 - Type:bugfix
 - ID:NA