diff --git a/CVE-2025-59432.patch b/CVE-2025-59432.patch
new file mode 100644
index 0000000000000000000000000000000000000000..63a6a30bba112b0ce48d82d77c85d9ce328c1330
--- /dev/null
+++ b/CVE-2025-59432.patch
@@ -0,0 +1,82 @@
+From e0b0cf99f05406a0d26682c72fcb5728e95124b3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jorge=20Sol=C3=B3rzano?= <jorsol@gmail.com>
+Date: Tue, 16 Sep 2025 19:51:50 +0200
+Subject: [PATCH] fix(security): Timing Attack Vulnerability
+
+A timing attack vulnerability exists in the SCRAM Java implementation.
+The issue arises because Arrays.equals was used to compare secret values
+such as client proofs and server signatures. Since Arrays.equals
+performs a short-circuit comparison, the execution time varies depending
+on how many leading bytes match. This behavior could allow an attacker
+to perform a timing side-channel attack and potentially infer sensitive
+authentication material. All users relying on SCRAM authentication are
+impacted.
+
+This vulnerability has been patched by replacing Arrays.equals with
+MessageDigest.isEqual, which ensures constant-time comparison.
+---
+ checks/forbiddenapis.txt                                  | 2 ++
+ .../main/java/com/ongres/scram/common/ScramFunctions.java | 8 ++++----
+ scram-parent/pom.xml                                      | 3 +++
+ 3 files changed, 9 insertions(+), 4 deletions(-)
+ create mode 100644 checks/forbiddenapis.txt
+
+diff --git a/checks/forbiddenapis.txt b/checks/forbiddenapis.txt
+new file mode 100644
+index 0000000..57bd571
+--- /dev/null
++++ b/checks/forbiddenapis.txt
+@@ -0,0 +1,2 @@
++
++java.util.Arrays#equals(byte[],byte[]) @ Replace with java.security.MessageDigest#isEqual(byte[],byte[])
+diff --git a/scram-common/src/main/java/com/ongres/scram/common/ScramFunctions.java b/scram-common/src/main/java/com/ongres/scram/common/ScramFunctions.java
+index 43687c4..a129e55 100644
+--- a/scram-common/src/main/java/com/ongres/scram/common/ScramFunctions.java
++++ b/scram-common/src/main/java/com/ongres/scram/common/ScramFunctions.java
+@@ -7,8 +7,8 @@ package com.ongres.scram.common;
+ 
+ import static java.nio.charset.StandardCharsets.UTF_8;
+ 
++import java.security.MessageDigest;
+ import java.security.SecureRandom;
+-import java.util.Arrays;
+ 
+ import com.ongres.scram.common.util.Preconditions;
+ import org.jetbrains.annotations.NotNull;
+@@ -190,8 +190,7 @@ public final class ScramFunctions {
+     byte[] clientSignature = clientSignature(scramMechanism, storedKey, authMessage);
+     byte[] clientKey = CryptoUtil.xor(clientSignature, clientProof);
+     byte[] computedStoredKey = hash(scramMechanism, clientKey);
+-
+-    return Arrays.equals(storedKey, computedStoredKey);
++    return MessageDigest.isEqual(storedKey, computedStoredKey);
+   }
+ 
+   /**
+@@ -205,7 +204,8 @@ public final class ScramFunctions {
+    */
+   public static boolean verifyServerSignature(
+       ScramMechanism scramMechanism, byte[] serverKey, String authMessage, byte[] serverSignature) {
+-    return Arrays.equals(serverSignature(scramMechanism, serverKey, authMessage), serverSignature);
++    byte[] computedServerSignature = serverSignature(scramMechanism, serverKey, authMessage);
++    return MessageDigest.isEqual(serverSignature, computedServerSignature);
+   }
+ 
+   /**
+diff --git a/scram-parent/pom.xml b/scram-parent/pom.xml
+index b155dae..d26323d 100644
+--- a/scram-parent/pom.xml
++++ b/scram-parent/pom.xml
+@@ -530,6 +530,9 @@
+                 <!-- don't allow System.out or System.err: -->
+                 <bundledSignature>jdk-system-out</bundledSignature>
+               </bundledSignatures>
++              <signaturesFiles>
++                <signaturesFile>${checks.location}/forbiddenapis.txt</signaturesFile>
++              </signaturesFiles>
+             </configuration>
+             <executions>
+               <execution>
+-- 
+2.43.0
+
diff --git a/ongres-scram.spec b/ongres-scram.spec
index 79e76355270b0f26971d279980cf8373e0c6ee06..5f2626d82470ed5ae305c6fec7a9b3bdf231478a 100644
--- a/ongres-scram.spec
+++ b/ongres-scram.spec
@@ -1,11 +1,12 @@
 Name:		ongres-scram
 Version:	3.0
-Release:	1
+Release:	2
 Summary:	Java Implementation for SCRAM(Salted Challenge Response Authentication Mechanism)
 License:	BSD
 URL:		https://github.com/ongres/scram
 Source0:	https://github.com/ongres/scram/archive/3.0/scram-3.0.tar.gz
 Patch0:         0001-convert-String-to-char-array.patch
+Patch1:         CVE-2025-59432.patch
 BuildRequires:	maven-local ongres-stringprep junit5
 BuildRequires:  mvn(org.apache.maven.plugins:maven-install-plugin)
 BuildRequires:  mvn(org.apache.maven.plugins:maven-invoker-plugin)
@@ -80,6 +81,10 @@ rm -rf scram-common/src/test/java/com/ongres/scram/common/UsAsciiUtilsTest.java
 %files parent -f .mfiles-scram-parent
 
 %changelog
+* Wed Sep 24 2025 jinshuaiyu <jinshuaiyu@kylinos.cn> - 3.0-2
+- fix CVE-2025-59432
+- fix(security): Timing Attack Vulnerability
+
 * Tue Jun 03 2025 Ge Wang <wang__ge@126.com> - 3.0-1
 - Upgrade to 3.0 version