diff --git a/backport-CVE-2024-47220.patch b/backport-CVE-2024-47220.patch
new file mode 100644
index 0000000000000000000000000000000000000000..6ac4a509c562f4874cff35233285b6e0da835cf0
--- /dev/null
+++ b/backport-CVE-2024-47220.patch
@@ -0,0 +1,62 @@
+From f5faca9222541591e1a7c3c97552ebb0c92733c7 Mon Sep 17 00:00:00 2001
+From: Jeremy Evans <code@jeremyevans.net>
+Date: Wed, 18 Sep 2024 14:11:49 -0700
+Subject: [PATCH] Prevent request smuggling
+
+If a request has both a content-length and transfer-encoding
+headers, return a 400 response.  This is allowed by RFC 7230
+section 3.3.3.3.
+
+Fixes #145
+---
+ lib/webrick/httprequest.rb       |  4 ++++
+ test/webrick/test_httprequest.rb | 18 ++++++++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb
+index 5cf5844..820acb2 100644
+--- a/lib/webrick/httprequest.rb
++++ b/lib/webrick/httprequest.rb
+@@ -474,6 +474,10 @@ module WEBrick
+     def read_body(socket, block)
+       return unless socket
+       if tc = self['transfer-encoding']
++        if self['content-length']
++          raise HTTPStatus::BadRequest, "request with both transfer-encoding and content-length, possible request smuggling"
++        end
++
+         case tc
+         when /\Achunked\z/io then read_chunked(socket, block)
+         else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}."
+diff --git a/test/webrick/test_httprequest.rb b/test/webrick/test_httprequest.rb
+index 855ff9d..cce9b91 100644
+--- a/test/webrick/test_httprequest.rb
++++ b/test/webrick/test_httprequest.rb
+@@ -81,6 +81,24 @@ GET /
+     }
+   end
+ 
++  def test_content_length_and_transfer_encoding_headers_smuggling
++    msg = <<~HTTP.gsub("\n", "\r\n")
++      POST /user HTTP/1.1
++      Content-Length: 28
++      Transfer-Encoding: chunked
++
++      0
++
++      GET /admin HTTP/1.1
++
++    HTTP
++    req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP)
++    req.parse(StringIO.new(msg))
++    assert_raise(WEBrick::HTTPStatus::BadRequest){
++      req.body
++    }
++  end
++
+   def test_parse_headers
+     msg = <<-_end_of_message_
+       GET /path HTTP/1.1
+-- 
+2.27.0
+
diff --git a/ruby.spec b/ruby.spec
index 32f718a0ab2fc2b5ec1378fccdc3aaee706f18c9..8e2772c370cc302a32e434b57148fb2a920d271b 100644
--- a/ruby.spec
+++ b/ruby.spec
@@ -1,6 +1,6 @@
 Name:      ruby
 Version:   2.5.8
-Release:   129
+Release:   130
 Summary:   Object-oriented scripting language interpreter
 License:   (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
 URL:       https://www.ruby-lang.org/
@@ -72,6 +72,7 @@ Patch6028: upgrade-lib-rexml-test-to-3.3.1.patch
 Patch6029: backport-CVE-2024-41946.patch
 Patch6030: backport-CVE-2024-39908-CVE-2024-41123-upgrade-lib-rexml-to-3.3.3.patch
 Patch6031: backport-CVE-2024-43398-upgrade-lib-rexml-to-3.3.6.patch
+Patch6032: backport-CVE-2024-47220.patch
 
 Patch9000: add-require_relative-helper-to-uninitialized-constan.patch
  
@@ -611,6 +612,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
 %exclude %{gem_dir}/gems/xmlrpc-0.3.0/.*
 
 %changelog
+* Tue Oct 08 2024 shixuantong <shixuantong1@huawei.com> - 2.5.8-130
+- fix CVE-2024-47220
+
 * Mon Sep 02 2024 shixuantong <shixuantong1@huawei.com> - 2.5.8-129
 - upgrade rexml to fix CVE-2024-39908 CVE-2024-41123 CVE-2024-43398