diff --git a/httpd-2.4.6-CVE-2025-58098.patch b/httpd-2.4.6-CVE-2025-58098.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3918b77217a0b62c72588ca2538efade93dbe94f
--- /dev/null
+++ b/httpd-2.4.6-CVE-2025-58098.patch
@@ -0,0 +1,38 @@
+From 1670aab24caa03d2d6dcc115b5710cb032cd18d0 Mon Sep 17 00:00:00 2001
+From: zhuhong_bo <zhuhongbo@uniontech.com>
+Date: Tue, 13 Jan 2026 16:49:18 +0800
+Subject: [PATCH] httpd-2.4.6 CVE-2025-58098
+
+---
+ modules/generators/mod_cgid.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c
+index 256de93..791a445 100644
+--- a/modules/generators/mod_cgid.c
++++ b/modules/generators/mod_cgid.c
+@@ -233,7 +233,7 @@ static char **create_argv(apr_pool_t *p, char *path, char *user, char *group,
+     char *w;
+     int idx = 0;
+ 
+-    if (!(*args) || ap_strchr_c(args, '=')) {
++    if (!args || !(*args) || ap_strchr_c(args, '=')) {
+         numwords = 0;
+     }
+     else {
+@@ -799,8 +799,10 @@ static int cgid_server(void *data)
+         else {
+             apr_pool_userdata_set(r, ERRFN_USERDATA_KEY, apr_pool_cleanup_null, ptrans);
+ 
+-            argv = (const char * const *)create_argv(r->pool, NULL, NULL, NULL, argv0, r->args);
+-
++            /* Do not pass args in case of SSI requests */
++            argv = (const char * const *)create_argv(r->pool, NULL, NULL, NULL,
++                                                     argv0,
++                                                     cgid_req.req_type == SSI_REQ ? NULL : r->args);
+            /* We want to close sd2 for the new CGI process too.
+             * If it is left open it'll make ap_pass_brigade() block
+             * waiting for EOF if CGI forked something running long.
+-- 
+1.8.3.1
+
diff --git a/httpd.spec b/httpd.spec
index c5edfe7ed4510c3a0db6c5763bcbefa9512a5204..c0ed31cda108c14d61b2bcc18ecf8595caace7d3 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -15,7 +15,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.6
-Release: 99%{?dist}.6
+Release: 99%{?dist}.7
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@@ -259,6 +259,7 @@ Patch252: 0001-cve-fix-CVE-2024-38476.patch
 #end
 Patch253: httpd-2.4.6-CVE-2024-47252.patch
 Patch254: httpd-2.4.6-CVE-2025-49812.patch
+Patch255: httpd-2.4.6-CVE-2025-58098.patch
 
 License: ASL 2.0
 Group: System Environment/Daemons
@@ -536,6 +537,7 @@ rm modules/ssl/ssl_engine_dh.c
 %patch252 -p1 -b .cve-fix-CVE-2024-38476
 %patch253 -p1 -b .CVE-2024-47252
 %patch254 -p1 -b .CVE-2025-49812
+%patch255 -p1 -b .CVE-2025-58098
 
 # need to be applied in the end since security patches
 # are changing the code that present in this patch
@@ -969,6 +971,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_sysconfdir}/rpm/macros.httpd
 
 %changelog
+* Tue Jan 13 2026 zhuhongbo <zhuhongbo@uniontech.com> - 2.4.6-99.7
+- cve: fix cve CVE-2025-58098
+
 * Tue Dec 09 2025 zhuhongbo <zhuhongbo@uniontech.com> - 2.4.6-99.6
 - cve: fix cve CVE-2024-47252 CVE-2025-49812