diff --git a/backport-fix-CVE-2025-22868.patch b/backport-fix-CVE-2025-22868.patch
new file mode 100644
index 0000000000000000000000000000000000000000..071cdc7295cfa64bc369f0a9377145d101b9b10b
--- /dev/null
+++ b/backport-fix-CVE-2025-22868.patch
@@ -0,0 +1,41 @@
+From db5fc498c9e6ef96a92db21c455d4ab963c44172 Mon Sep 17 00:00:00 2001
+From: Gopher Robot <gobot@golang.org>
+Date: Mon, 14 Apr 2025 13:33:07 +0800
+Subject: [PATCH] jws: split token into fixed number of parts
+
+Thanks to 'jub0bs' for reporting this issue.
+
+Fixes #71490
+Fixes CVE-2025-22868
+
+Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2
+Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155
+Auto-Submit: Gopher Robot <gobot@golang.org>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+---
+ vendor/golang.org/x/oauth2/jws/jws.go | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/oauth2/jws/jws.go b/vendor/golang.org/x/oauth2/jws/jws.go
+index 9501564..6f03a49 100644
+--- a/vendor/golang.org/x/oauth2/jws/jws.go
++++ b/vendor/golang.org/x/oauth2/jws/jws.go
+@@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) {
+ // Verify tests whether the provided JWT token's signature was produced by the private key
+ // associated with the supplied public key.
+ func Verify(token string, key *rsa.PublicKey) error {
+-	parts := strings.Split(token, ".")
+-	if len(parts) != 3 {
++	if strings.Count(token, ".") != 2 {
+ 		return errors.New("jws: invalid token received, token must have 3 parts")
+ 	}
+ 
++	parts := strings.SplitN(token, ".", 3)
+ 	signedContent := parts[0] + "." + parts[1]
+ 	signatureString, err := base64.RawURLEncoding.DecodeString(parts[2])
+ 	if err != nil {
+-- 
+2.25.1
+
diff --git a/ignition.spec b/ignition.spec
index d19943d95a548d29af391c4c60143b0561fb8c7e..af58fc60e064507eaf1455f03d5e1908522cc35a 100644
--- a/ignition.spec
+++ b/ignition.spec
@@ -7,7 +7,7 @@
 
 Name:           ignition
 Version:        2.19.0
-Release:        4
+Release:        5
 Summary:        First boot installer and configuration tool
 License:        Apache-2.0
 URL:            https://github.com/coreos/ignition
@@ -15,6 +15,7 @@ Source0:        https://github.com/coreos/ignition/archive/v%{version}/%{name}-%
 
 Patch01:	0001-backport-akamai-fix-base64-decoding.patch
 Patch02:	0002-backport-fix-go-clean-drop-package-name.patch
+Patch03:        backport-fix-CVE-2025-22868.patch
 
 BuildRequires: libblkid-devel
 BuildRequires: golang >= 1.20
@@ -226,6 +227,12 @@ install -p -m 0755 ./ignition %{buildroot}/%{dracutlibdir}/modules.d/30ignition
 %{_bindir}/ignition-validate
 
 %changelog
+* Mon Apr 14 2025 zhangbowei <zhangbowei@kylinos.cn> - 2.19.0-5
+-Type:cve
+-CVE:CVE-2025-22868
+-SUG:NA
+-DESC:backport CVE-2025-22868
+
 * Thu Feb 13 2025 chendexi <chendexi@kylinos.cn> - 2.19.0-4
 - Type:bugfix
 - CVE:NA