diff --git a/backport-CVE-2025-27516.patch b/backport-CVE-2025-27516.patch
new file mode 100644
index 0000000000000000000000000000000000000000..26f314427eda68f27d5f98aaf1129c5920f6abbd
--- /dev/null
+++ b/backport-CVE-2025-27516.patch
@@ -0,0 +1,104 @@
+From 90457bbf33b8662926ae65cdde4c4c32e756e403 Mon Sep 17 00:00:00 2001
+From: David Lord <davidism@gmail.com>
+Date: Wed, 5 Mar 2025 10:08:48 -0800
+Subject: [PATCH] attr filter uses env.getattr
+
+Reference:https://github.com/pallets/jinja/commit/90457bbf33b8662926ae65cdde4c4c32e756e403
+
+---
+ Jinja2-2.11.2/CHANGES.rst            |  3 +++
+ Jinja2-2.11.2/src/jinja2/filters.py  | 35 +++++++++++++---------------
+ Jinja2-2.11.2/tests/test_security.py | 10 ++++++++
+ 3 files changed, 29 insertions(+), 19 deletions(-)
+
+diff --git a/Jinja2-2.11.2/CHANGES.rst b/Jinja2-2.11.2/CHANGES.rst
+index 6ef2d3d..b8010ef 100644
+--- a/Jinja2-2.11.2/CHANGES.rst
++++ b/Jinja2-2.11.2/CHANGES.rst
+@@ -1,5 +1,8 @@
+ .. currentmodule:: jinja2
+ 
++-   The ``|attr`` filter does not bypass the environment's attribute lookup,
++    allowing the sandbox to apply its checks. :ghsa:`cpwx-vrp4-4pq7`
++
+ -   Escape template name before formatting it into error messages, to avoid
+     issues with names that contain f-string syntax.
+     :issue:`1792`, :ghsa:`gmj6-6f8f-6699`
+diff --git a/Jinja2-2.11.2/src/jinja2/filters.py b/Jinja2-2.11.2/src/jinja2/filters.py
+index 92592dc..ccfc5fb 100644
+--- a/Jinja2-2.11.2/src/jinja2/filters.py
++++ b/Jinja2-2.11.2/src/jinja2/filters.py
+@@ -7,6 +7,7 @@ import warnings
+ from collections import namedtuple
+ from itertools import chain
+ from itertools import groupby
++from inspect import getattr_static
+ 
+ from markupsafe import escape
+ from markupsafe import Markup
+@@ -1072,29 +1073,25 @@ def do_reverse(value):
+ 
+ @environmentfilter
+ def do_attr(environment, obj, name):
+-    """Get an attribute of an object.  ``foo|attr("bar")`` works like
+-    ``foo.bar`` just that always an attribute is returned and items are not
+-    looked up.
++    """Get an attribute of an object. ``foo|attr("bar")`` works like
++    ``foo.bar``, but returns undefined instead of falling back to ``foo["bar"]``
++    if the attribute doesn't exist.
+ 
+     See :ref:`Notes on subscriptions <notes-on-subscriptions>` for more details.
+     """
++    # Environment.getattr will fall back to obj[name] if obj.name doesn't exist.
++    # But we want to call env.getattr to get behavior such as sandboxing.
++    # Determine if the attr exists first, so we know the fallback won't trigger.
+     try:
+-        name = str(name)
+-    except UnicodeError:
+-        pass
+-    else:
+-        try:
+-            value = getattr(obj, name)
+-        except AttributeError:
+-            pass
+-        else:
+-            if environment.sandboxed and not environment.is_safe_attribute(
+-                obj, name, value
+-            ):
+-                return environment.unsafe_undefined(obj, name)
+-            return value
+-    return environment.undefined(obj=obj, name=name)
+-
++        # This avoids executing properties/descriptors, but misses __getattr__
++        # and __getattribute__ dynamic attrs.
++        getattr_static(obj, name)
++    except AttributeError:
++        # This finds dynamic attrs, and we know it's not a descriptor at this point.
++        if not hasattr(obj, name):
++            return environment.undefined(obj=obj, name=name)
++
++    return environment.getattr(obj, name)
+ 
+ @contextfilter
+ def do_map(*args, **kwargs):
+diff --git a/Jinja2-2.11.2/tests/test_security.py b/Jinja2-2.11.2/tests/test_security.py
+index 0d3e60c..a5f0c4d 100644
+--- a/Jinja2-2.11.2/tests/test_security.py
++++ b/Jinja2-2.11.2/tests/test_security.py
+@@ -225,3 +225,13 @@ class TestStringFormatMap(object):
+ 
+         with pytest.raises(SecurityError):
+             t.render()
++
++    def test_attr_filter(self):
++        env = SandboxedEnvironment()
++        t = env.from_string(
++            """{{ "{0.__call__.__builtins__[__import__]}"
++                  | attr("format")(not_here) }}"""
++        )
++
++        with pytest.raises(SecurityError):
++            t.render()
+-- 
+2.43.0
+
diff --git a/python-jinja2.spec b/python-jinja2.spec
index c4713d085382651b10d10a45d2be37014ad4a3c0..fe611056635fa046a64037a69dc8208554b91dd9 100644
--- a/python-jinja2.spec
+++ b/python-jinja2.spec
@@ -2,7 +2,7 @@
 
 Name:           python-jinja2
 Version:        2.11.2
-Release:        9
+Release:        10
 Summary:        A full-featured template engine for Python
 License:        BSD
 URL:            http://jinja.pocoo.org/
@@ -17,6 +17,7 @@ Patch9001:      backport-CVE-2024-56326.patch
 Patch9002:      backport-CVE-2024-56326-2.patch
 Patch9003:      backport-CVE-2024-56326-3.patch
 Patch9004:      backport-CVE-2024-56201.patch
+Patch9005:      backport-CVE-2025-27516.patch
 
 BuildArch:      noarch
 
@@ -114,6 +115,12 @@ popd
 %doc Jinja2-%{version}/ext Jinja2-%{version}/examples
 
 %changelog
+* Mon May 12 2025 weihaohao <weihaohao2@huawei.com> - 2.11.2-10
+ Type:CVE
+ CVE:CVE-2025-27516
+ SUG:NA
+ DESC:fix CVE-2025-27516
+
 * Thu Dec 26 2024 weihaohao <weihaohao2@huawei.com> - 2.11.2-9
  Type:CVE
  CVE:CVE-2024-56201