diff --git a/CVE-2020-10663.patch b/CVE-2020-10663.patch
new file mode 100644
index 0000000000000000000000000000000000000000..ee73ad6d132d7f60553da31e9cc95878ae66d50d
--- /dev/null
+++ b/CVE-2020-10663.patch
@@ -0,0 +1,37 @@
+From 85487773ba69ec2179cac77ed725cec1b6cdffc8 Mon Sep 17 00:00:00 2001
+Subject: [PATCH] fix CVE-2020-10663
+
+---
+ ext/json/parser/parser.c  | 2 +-
+ ext/json/parser/parser.rl | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/json/parser/parser.c b/ext/json/parser/parser.c
+index d2e4eb6..ae90b2e 100644
+--- a/ext/json/parser/parser.c
++++ b/ext/json/parser/parser.c
+@@ -1815,7 +1815,7 @@ static VALUE cParser_initialize(int argc, VALUE *argv, VALUE self)
+     } else {
+         json->max_nesting = 100;
+         json->allow_nan = 0;
+-        json->create_additions = 1;
++        json->create_additions = 0;
+         json->create_id = rb_funcall(mJSON, i_create_id, 0);
+         json->object_class = Qnil;
+         json->array_class = Qnil;
+diff --git a/ext/json/parser/parser.rl b/ext/json/parser/parser.rl
+index 29900a4..f7dbcff 100644
+--- a/ext/json/parser/parser.rl
++++ b/ext/json/parser/parser.rl
+@@ -710,7 +710,7 @@ static VALUE cParser_initialize(int argc, VALUE *argv, VALUE self)
+     } else {
+         json->max_nesting = 100;
+         json->allow_nan = 0;
+-        json->create_additions = 1;
++        json->create_additions = 0;
+         json->create_id = rb_funcall(mJSON, i_create_id, 0);
+         json->object_class = Qnil;
+         json->array_class = Qnil;
+-- 
+2.23.0
+
diff --git a/ruby.spec b/ruby.spec
index 9a4db1c65c85ce0739d2ebefbb7c719877403d5f..ebf8dd3228a705820c88dfb93d985fd3b7876b24 100644
--- a/ruby.spec
+++ b/ruby.spec
@@ -1,6 +1,6 @@
 Name:      ruby
 Version:   2.5.1
-Release:   105
+Release:   106
 Summary:   Object-oriented scripting language interpreter
 License:   (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
 URL:       http://ruby-lang.org/
@@ -588,6 +588,12 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
 %exclude %{gem_dir}/gems/xmlrpc-0.3.0/.*
 
 %changelog
+* Mon Jun 22 2020 zhanghua <zhanghua40@huawei.com> - 2.5.1-106
+- Type:cves
+- ID:CVE-2020-10663
+- SUG:restart
+- DESC:fix CVE-2020-10663
+
 * Thu May 07 2020 huanghaitao <huanghaitao@huawei.com> - 2.5.1-105
 - Type:cves
 - ID:CVE-2020-10933