diff --git a/0011-CVE-2023-25194.patch b/0011-CVE-2023-25194.patch
new file mode 100644
index 0000000000000000000000000000000000000000..35fb0763c16534a93ce09879557b5de76240ce41
--- /dev/null
+++ b/0011-CVE-2023-25194.patch
@@ -0,0 +1,13 @@
+diff --git a/pom.xml b/pom.xml
+index c6d4dcc9c7..0cbb930786 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -142,7 +142,7 @@ flexible messaging model and an intuitive client API.</description>
+     <hbc-core.version>2.2.0</hbc-core.version>
+     <cassandra-driver-core.version>3.6.0</cassandra-driver-core.version>
+     <aerospike-client.version>4.4.20</aerospike-client.version>
+-    <kafka-client.version>2.7.2</kafka-client.version>
++    <kafka-client.version>3.4.0</kafka-client.version>
+     <rabbitmq-client.version>5.1.1</rabbitmq-client.version>
+     <aws-sdk.version>1.12.262</aws-sdk.version>
+     <avro.version>1.10.2</avro.version>
diff --git a/pulsar.spec b/pulsar.spec
index 04b978770f5c755e44ffaeac856ffe7fb0a46d77..ee3fbe2858b79e67ed6bef83afde217433639b89 100644
--- a/pulsar.spec
+++ b/pulsar.spec
@@ -1,6 +1,6 @@
 %define debug_package %{nil}
 %define pulsar_ver 2.10.4
-%define pkg_ver 10
+%define pkg_ver 11
 %define _prefix /opt/pulsar
 Summary: Cloud-Native, Distributed Messaging and Streaming
 Name: pulsar
@@ -20,6 +20,7 @@ Patch0007: 0007-CVE-2022-1471.patch
 Patch0008: 0008-CVE-2023-26048.patch
 Patch0009: 0009-CVE-2022-24329.patch
 Patch0010: 0010-CVE-2022-22970.patch
+Patch0011: 0011-CVE-2023-25194.patch
 BuildRoot: /root/rpmbuild/BUILDROOT/
 BuildRequires: java-1.8.0-openjdk-devel,maven,systemd
 Requires: java-1.8.0-openjdk,systemd
@@ -42,6 +43,7 @@ Pulsar is a distributed pub-sub messaging platform with a very flexible messagin
 %patch0008 -p1
 %patch0009 -p1
 %patch0010 -p1
+%patch0011 -p1
 
 %build
 mvn clean install -Pcore-modules,-main -DskipTests
@@ -67,6 +69,8 @@ getent passwd pulsar >/dev/null || useradd -r -g pulsar -d / -s /sbin/nologin pu
 exit 0
 
 %changelog
+* Wed Dec 6 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-11
+- resolve cve-2023-25194
 * Wed Dec 6 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-10
 - resolve cve-2022-22970
 * Mon Dec 5 2023 Dapeng Sun <sundapeng@cmss.chinamobile.com> - 2.10.4-9
