diff --git a/fix-cve-2024-47081.patch b/fix-cve-2024-47081.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0b4848263c5f3ee499d1904fccbd53789d76c2ed
--- /dev/null
+++ b/fix-cve-2024-47081.patch
@@ -0,0 +1,18 @@
+diff -urN requests-2.32.3/src/requests/utils.py requests-2.32.3-new/src/requests/utils.py
+--- requests-2.32.3/src/requests/utils.py	2024-05-29 23:36:10.000000000 +0800
++++ requests-2.32.3-new/src/requests/utils.py	2025-07-01 17:33:44.315382792 +0800
+@@ -234,12 +234,8 @@
+ 
+         ri = urlparse(url)
+ 
+-        # Strip port numbers from netloc. This weird `if...encode`` dance is
+-        # used for Python 3.2, which doesn't support unicode literals.
+-        splitstr = b":"
+-        if isinstance(url, str):
+-            splitstr = splitstr.decode("ascii")
+-        host = ri.netloc.split(splitstr)[0]
++       
++        host = ri.hostname
+ 
+         try:
+             _netrc = netrc(netrc_path).authenticators(host)
diff --git a/python-requests.spec b/python-requests.spec
index 251c455ed2546d7c8f6026ad7e7da2fe52d757f1..1bfda2d2777de62902dcdd773e1a3ddb47218801 100644
--- a/python-requests.spec
+++ b/python-requests.spec
@@ -2,12 +2,13 @@
 
 Name:           python-requests
 Version:        2.31.0
-Release:        1
+Release:        2
 Summary:        Python HTTP Library
 License:        ASL 2.0
 URL:            http://python-requests.org/
 Source0:        https://github.com/requests/requests/archive/v%{version}/requests-v%{version}.tar.gz#/requests-%{version}.tar.gz
 Patch6001:      backport-requests-2.31.0-system-certs.patch
+Patch6002:	fix-cve-2024-47081.patch
 BuildArch:      noarch
 
 %description
@@ -92,6 +93,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} %{__python3} -m pytest -v
 %doc HISTORY.md README.md
 
 %changelog
+* Wed Jul 2 2025 wubijie123 <wubijie@kyliuos.cn> - 2.31.0-2
+- fix cve-2024-47081
+
 * Thu Jul 13 2023 zhangchenglin <zhangchenglin@kylinos.cn> - 2.31.0-1
 - Update package to version 2.31.0