diff --git a/Invoke-initgroups-iff-we-got-enough-privileges.patch b/Invoke-initgroups-iff-we-got-enough-privileges.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f0afd57ed9a45332894fae33bfc68d2d80d64161
--- /dev/null
+++ b/Invoke-initgroups-iff-we-got-enough-privileges.patch
@@ -0,0 +1,28 @@
+From d4dda9b5583d19e2eee268fec59aa487d61fc079 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Valent=C3=ADn=20Guti=C3=A9rrez?= <vgutierrez@wikimedia.org>
+Date: Thu, 21 Nov 2024 03:54:03 +0100
+Subject: [PATCH] Invoke initgroups() iff we got enough privileges (#11869)
+ (#11872)
+
+Follow up of #11855, that rendered unusable ATS as root when spawned via traffic_manager.
+---
+ src/tscore/ink_cap.cc | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/tscore/ink_cap.cc b/src/tscore/ink_cap.cc
+index 0f0d6f869e2..f464daad3b1 100644
+--- a/src/tscore/ink_cap.cc
++++ b/src/tscore/ink_cap.cc
+@@ -156,8 +156,10 @@ impersonate(const struct passwd *pwd, ImpersonationLevel level)
+ #endif
+ 
+   // Always repopulate the supplementary group list for the new user.
+-  if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
+-    Fatal("switching to user %s, failed to initialize supplementary groups ID %ld", pwd->pw_name, (long)pwd->pw_gid);
++  if (geteuid() == 0) { // check that we have enough rights to call initgroups()
++    if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
++      Fatal("switching to user %s, failed to initialize supplementary groups ID %ld", pwd->pw_name, (long)pwd->pw_gid);
++    }
+   }
+ 
+   switch (level) {
diff --git a/trafficserver.spec b/trafficserver.spec
index 38ab6dc0dedff12fa7ab0ef0da214fab127a755b..ef7f3fad7e1d87da0464b147cd0f238f89f0fe8e 100644
--- a/trafficserver.spec
+++ b/trafficserver.spec
@@ -2,7 +2,7 @@
 %global vendor %{?_vendor:%{_vendor}}%{!?_vendor:openEuler}
 Name:                trafficserver
 Version:             9.2.5
-Release:             2
+Release:             3
 Summary:             Apache Traffic Server, a reverse, forward and transparent HTTP proxy cache
 License:             Apache-2.0
 URL:                 https://trafficserver.apache.org/
@@ -17,6 +17,7 @@ Patch0006:           add-loong64-support.patch
 Patch0007:           CVE-2024-38479.patch
 Patch0008:           CVE-2024-50305.patch
 Patch0009:           CVE-2024-50306.patch
+Patch0010:           Invoke-initgroups-iff-we-got-enough-privileges.patch
 BuildRequires:       expat-devel hwloc-devel openssl-devel pcre-devel zlib-devel xz-devel
 BuildRequires:       libcurl-devel ncurses-devel gcc gcc-c++ perl-ExtUtils-MakeMaker
 BuildRequires:       libcap-devel cmake libunwind-devel automake chrpath
@@ -137,6 +138,9 @@ getent passwd ats >/dev/null || useradd -r -u 176 -g ats -d / -s /sbin/nologin -
 %{_datadir}/pkgconfig/trafficserver.pc
 
 %changelog
+* Tue Dec 03 2024 yaoxin <yao_xin001@hoperun.com> - 9.2.5-3
+- Fix trafficserver service error
+
 * Fri Nov 15 2024 wangkai <13474090681@163.com> - 9.2.5-2
 - Fix CVE-2024-38479, CVE-2024-50306, CVE-2024-50305
 - Replace openEuler with vendor