diff --git a/0001-CVE-2023-37460.patch b/0001-CVE-2023-37460.patch
new file mode 100644
index 0000000000000000000000000000000000000000..ab428a7cf9b91df25251786cd41c6a009b3a1759
--- /dev/null
+++ b/0001-CVE-2023-37460.patch
@@ -0,0 +1,128 @@
+From a8a56a9ad3c8b6f4414ebbb80880bd395ad5568a Mon Sep 17 00:00:00 2001
+From: hanguanqiang <hanguanqiang@kylinos.cn>
+Date: Thu, 19 Jun 2025 18:15:27 +0800
+Subject: [PATCH] CVE-2023-37460
+
+---
+ .../plexus/archiver/AbstractUnArchiver.java     | 17 +++++++++++------
+ .../codehaus/plexus/archiver/SymlinkTest.java   |  4 ++++
+ .../plexus/archiver/zip/ZipArchiverTest.java    | 11 +++++++++++
+ src/test/resources/symlinks/regen.sh            | 15 ++++++++++++++-
+ 4 files changed, 40 insertions(+), 7 deletions(-)
+
+diff --git a/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java b/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java
+index f3f389e..5d55689 100644
+--- a/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java
++++ b/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java
+@@ -36,6 +36,8 @@
+ import org.codehaus.plexus.util.IOUtil;
+ import org.codehaus.plexus.util.StringUtils;
+ 
++import java.nio.file.Path;
++import static java.nio.file.StandardCopyOption.REPLACE_EXISTING;
+ // TODO there should really be constructors which take the source file.
+ 
+ /**
+@@ -332,14 +334,20 @@ protected void extractFile( final File srcF, final File dir, final InputStream c
+         final File targetFileName = FileUtils.resolveFile( dir, entryName );
+ 
+         // Make sure that the resolved path of the extracted file doesn't escape the destination directory
+-        String canonicalDirPath = dir.getCanonicalPath();
+-        String canonicalDestPath = targetFileName.getCanonicalPath();
++        Path canonicalDirPath = dir.getCanonicalFile().toPath();
++        Path canonicalDestPath = targetFileName.getCanonicalFile().toPath();
+ 
+         if ( !canonicalDestPath.startsWith( canonicalDirPath ) )
+         {
+             throw new ArchiverException( "Entry is outside of the target directory (" + entryName + ")" );
+         }
+ 
++       if (StringUtils.isEmpty(symlinkDestination) && Files.isSymbolicLink(canonicalDestPath)) {
++           throw new ArchiverException("Entry is outside of the target directory (" + entryName + ")");
++        }
++
++
++
+         try
+         {
+             if ( !shouldExtractEntry( dir, targetFileName, entryName, entryDate ) )
+@@ -364,10 +372,7 @@ else if ( isDirectory )
+             }
+             else
+             {
+-                try ( OutputStream out = Files.newOutputStream( targetFileName.toPath() ) )
+-                {
+-                    IOUtil.copy( compressedInputStream, out );
+-                }
++                Files.copy(compressedInputStream,targetFileName.toPath(),REPLACE_EXISTING);
+             }
+ 
+             targetFileName.setLastModified( entryDate.getTime() );
+diff --git a/src/test/java/org/codehaus/plexus/archiver/SymlinkTest.java b/src/test/java/org/codehaus/plexus/archiver/SymlinkTest.java
+index 0afb78a..a14ff20 100644
+--- a/src/test/java/org/codehaus/plexus/archiver/SymlinkTest.java
++++ b/src/test/java/org/codehaus/plexus/archiver/SymlinkTest.java
+@@ -68,6 +68,8 @@ public void testSymlinkTar()
+         unarchiver.setSourceFile( archiveFile );
+         unarchiver.setDestFile( output );
+         unarchiver.extract();
++	// second unpacking should also work
++        unarchiver.extract();
+     }
+ 
+     public void testSymlinkZip()
+@@ -88,6 +90,8 @@ public void testSymlinkZip()
+         unarchiver.setSourceFile( archiveFile );
+         unarchiver.setDestFile( output );
+         unarchiver.extract();
++        // second unpacking should also work
++        unarchiver.extract();
+     }
+ 
+     public void testSymlinkDirArchiver()
+diff --git a/src/test/java/org/codehaus/plexus/archiver/zip/ZipArchiverTest.java b/src/test/java/org/codehaus/plexus/archiver/zip/ZipArchiverTest.java
+index cca135c..b6168e2 100644
+--- a/src/test/java/org/codehaus/plexus/archiver/zip/ZipArchiverTest.java
++++ b/src/test/java/org/codehaus/plexus/archiver/zip/ZipArchiverTest.java
+@@ -947,4 +947,15 @@ private long toLocalTimeZone( long timestamp )
+         }
+     }
+ 
++    public  void testNonExistingSymlink() throws Exception {
++        File zipFile = new File("src/test/resources/symlinks/non_existing_symlink.zip");
++        ZipUnArchiver unArchiver = getZipUnArchiver(zipFile);
++        String tmpdir = Files.createTempDirectory("tmpe_extract").toFile().getAbsolutePath();
++        unArchiver.setDestDirectory(new File(tmpdir));
++        try {
++            unArchiver.extract();
++        } catch (Exception e){
++            assertEquals("Entry is outside of the target directory (entry1)", e.getMessage());
++        }
++    }
+ }
+diff --git a/src/test/resources/symlinks/regen.sh b/src/test/resources/symlinks/regen.sh
+index f3c3a9d..9cff2ec 100755
+--- a/src/test/resources/symlinks/regen.sh
++++ b/src/test/resources/symlinks/regen.sh
+@@ -3,4 +3,17 @@ rm symlinks.tar
+ cd src
+ zip --symlinks ../symlinks.zip file* targetDir sym*
+ tar -cvf ../symlinks.tar file* targetDir sym*
+-
++cd ..
++rm non_existing_symlink.zip
++mkdir non_existing_symlink
++cd non_existing_symlink
++ln -s /tmp/target entry1
++echo -ne 'content' > entry2
++zip  --symlinks ../non_existing_symlink.zip entry1 entry2
++cd ..
++rm -rf non_existing_symlink
++if [ "x$(uname)" = "xLinux" ];then
++        LC_ALL=C sed  -i  's/entry2/entry1/' non_existing_symlink.zip
++else
++        LC_ALL=C sed  -i '' 's/entry2/entry1/' non_existing_symlink.zip
++fi
+-- 
+2.43.0
+
diff --git a/non_existing_symlink.zip b/non_existing_symlink.zip
new file mode 100644
index 0000000000000000000000000000000000000000..a281a860d465fa53040019d90c3272bff70d0bf3
Binary files /dev/null and b/non_existing_symlink.zip differ
diff --git a/plexus-archiver.spec b/plexus-archiver.spec
index 398f8a967ba1dbe5112a86dc61598429807774d1..591bede535a691b2821d6044a29739ec2f8b9c70 100644
--- a/plexus-archiver.spec
+++ b/plexus-archiver.spec
@@ -1,11 +1,14 @@
 Name:           plexus-archiver
 Version:        4.2.7
-Release:        1
+Release:        2
 Epoch:          0
 Summary:        Plexus Archiver Components
 License:        Apache-2.0
 URL:            http://codehaus-plexus.github.io/plexus-archiver
 Source0:        https://github.com/codehaus-plexus/plexus-archiver/archive/plexus-archiver-%{version}.tar.gz
+Source1:        non_existing_symlink.zip
+
+Patch1: 0001-CVE-2023-37460.patch
 
 BuildRequires:  maven-local
 BuildRequires:  mvn(org.tukaani:xz)
@@ -43,7 +46,7 @@ including Java EE applications or web applications.
 %prep
 %autosetup -n %{name}-%{name}-%{version} -p1
 %mvn_file :%{name} plexus/archiver
-
+cp -a %{SOURCE1} src/test/resources/symlinks/
 
 %build
 %mvn_build -f
@@ -57,6 +60,9 @@ including Java EE applications or web applications.
 
 
 %changelog
+* Thu Jun 19 2025 hanguanqiang <hanguanqiang@kylinos.cn> - 0:4.2.7-2
+- Fix CVE-2023-37460
+
 * Fri Jul 28 2023 yaoxin <yao_xin001@hoperun.com> - 0:4.2.7-1
 - Update to 4.2.7