diff --git a/0049-Fix-CVE-2025-58189.patch b/0049-Fix-CVE-2025-58189.patch
new file mode 100644
index 0000000000000000000000000000000000000000..bf8e45312a02538840bd2fc967b90e228eb31cac
--- /dev/null
+++ b/0049-Fix-CVE-2025-58189.patch
@@ -0,0 +1,43 @@
+From 2e1e356e33b9c792a9643749a7626a1789197bb9 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Mon, 29 Sep 2025 10:11:56 -0700
+Subject: [PATCH] [release-branch.go1.24] crypto/tls: quote protocols in ALPN
+ error message
+
+Quote the protocols sent by the client when returning the ALPN
+negotiation error message.
+
+Fixes CVE-2025-58189
+Updates #75652
+Fixes #75660
+
+Change-Id: Ie7b3a1ed0b6efcc1705b71f0f1e8417126661330
+Reviewed-on: https://go-review.googlesource.com/c/go/+/707776
+Auto-Submit: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Neal Patel <nealpatel@google.com>
+Reviewed-by: Nicholas Husin <nsh@golang.org>
+Auto-Submit: Nicholas Husin <nsh@golang.org>
+Reviewed-by: Nicholas Husin <husin@google.com>
+TryBot-Bypass: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
+(cherry picked from commit 4e9006a716533fe1c7ee08df02dfc73078f7dc19)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/708096
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+---
+ src/crypto/tls/handshake_server.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
+index 7c75977ad3ffb2..6aebb742229a50 100644
+--- a/src/crypto/tls/handshake_server.go
++++ b/src/crypto/tls/handshake_server.go
+@@ -338,7 +338,7 @@ func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, erro
+ 	if http11fallback {
+ 		return "", nil
+ 	}
+-	return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos)
++	return "", fmt.Errorf("tls: client requested unsupported application protocols (%q)", clientProtos)
+ }
+ 
+ // supportsECDHE returns whether ECDHE key exchanges can be used with this
diff --git a/golang.spec b/golang.spec
index b126ec7f36166aeb39157ae892a37357407f264c..568e7799e043defd3c554bda23514588e0afc62f 100644
--- a/golang.spec
+++ b/golang.spec
@@ -1,4 +1,4 @@
-%define anolis_release 10
+%define anolis_release 11
 
 # Disable debuginfo packages
 %global debug_package %{nil}
@@ -132,6 +132,8 @@ Patch46:         0046-Fix-CVE-2025-22874.patch
 Patch47:         0047-Fix-CVE-2025-47906.patch
 # https://github.com/golang/go/commit/334de7982f8ec959c74470dd709ceedfd6dbd50a
 Patch48:         0048-Fix-CVE-2025-22870.patch
+# https://github.com/golang/go/commit/2e1e356e33b9c792a9643749a7626a1789197bb9
+Patch49:         0049-Fix-CVE-2025-58189.patch
 
 # The compiler is written in Go. Needs go(1.4+) compiler for build.
 %if %{with bootstrap}
@@ -609,6 +611,9 @@ fi
 %files docs -f go-docs.list
 
 %changelog
+* Mon Nov 3 2025 wh02252983 <wh02252983@alibaba-inc.com> - 1.24.0-11
+- add patch to fix CVE-2025-58189
+
 * Mon Oct 27 2025 mgb01105731 <mgb01105731@alibaba-inc.com> - 1.24.0-10
 - Add patch to fix CVE-2025-22870