diff --git a/0001-Fix-CVE-2023-25153.patch b/0001-Fix-CVE-2023-25153.patch
new file mode 100644
index 0000000000000000000000000000000000000000..aa6abe00a55385618205c59127cc5fbaf2eb5b29
--- /dev/null
+++ b/0001-Fix-CVE-2023-25153.patch
@@ -0,0 +1,36 @@
+From e1ec32e24f11bb3f003ef876e404777c1041349b Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Wed, 13 Mar 2024 15:03:38 +0800
+Subject: [PATCH] Fix CVE-2023-25153
+
+---
+ images/archive/importer.go | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/images/archive/importer.go b/images/archive/importer.go
+index c531049..8ba3206 100644
+--- a/images/archive/importer.go
++++ b/images/archive/importer.go
+@@ -232,12 +232,14 @@ func ImportIndex(ctx context.Context, store content.Store, reader io.Reader, opt
+ 	return writeManifest(ctx, store, idx, ocispec.MediaTypeImageIndex)
+ }
+ 
++const (
++	kib       = 1024
++	mib       = 1024 * kib
++	jsonLimit = 20 * mib
++)
++
+ func onUntarJSON(r io.Reader, j interface{}) error {
+-	b, err := io.ReadAll(r)
+-	if err != nil {
+-		return err
+-	}
+-	return json.Unmarshal(b, j)
++	return json.NewDecoder(io.LimitReader(r, jsonLimit)).Decode(j)
+ }
+ 
+ func onUntarBlob(ctx context.Context, r io.Reader, store content.Ingester, size int64, ref string) (digest.Digest, error) {
+-- 
+2.20.1
+
diff --git a/k3s-containerd.spec b/k3s-containerd.spec
index 3d656a3f05f7373f1ce0ce4f9c8304fb5b4222f0..6008e1cef690b02a1cf42907979b45cad6a4828b 100644
--- a/k3s-containerd.spec
+++ b/k3s-containerd.spec
@@ -3,14 +3,16 @@
 %global version_suffix k3s1
 Version:        1.6.6
 Name:           k3s-containerd
-Release:        6
+Release:        7
 Summary:        An industry-standard container runtime
 License:        Apache-2.0
 URL:            https://github.com/k3s-io/containerd
 Source0:        https://github.com/k3s-io/containerd/archive/refs/tags/v%{version}-%{version_suffix}.tar.gz
 #source1 from https://github.com/golang/sys version: v0.4.0
 Source1:        sys.tar.gz
+
 Patch0:         bbolt-add-loong64-support.patch
+Patch0001:      0001-Fix-CVE-2023-25153.patch
 
 BuildRequires:  golang glibc-static make btrfs-progs-devel
 
@@ -75,6 +77,12 @@ cp -rf %{_builddir}/containerd-%{version}-%{version_suffix}/. %{buildroot}%{_lib
 
 
 %changelog
+* Wed Mar 13 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.6.6-k3s1-7
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2023-25153
+
 * Wed Jul 12 2023 huajingyun <huajingyun@loongson.cn> - 1.6.6-k3s1-6
 - Update sys to v0.4.0