diff --git a/backport-fix-CVE-2025-27144.patch b/backport-fix-CVE-2025-27144.patch
new file mode 100644
index 0000000000000000000000000000000000000000..e85ee21b08e39149f557db6e3ab37e883da12447
--- /dev/null
+++ b/backport-fix-CVE-2025-27144.patch
@@ -0,0 +1,89 @@
+From 038bbc81ba34564ab5cf7c73ed21cf4409c46a00 Mon Sep 17 00:00:00 2001
+From: Matthew McPherrin <mattm@letsencrypt.org>
+Date: Fri, 28 Mar 2025 11:33:09 +0800
+Subject: [PATCH] fix CVE-2025-27144 Don't allow unbounded amounts of splits
+ (#167) In compact JWS/JWE, don't allow unbounded number of splits. Count to
+ make sure there's the right number, then use SplitN.
+
+---
+ vendor/github.com/go-jose/go-jose/v3/jwe.go | 5 +++--
+ vendor/github.com/go-jose/go-jose/v3/jws.go | 5 +++--
+ vendor/github.com/go-jose/go-jose/v4/jwe.go | 5 +++--
+ vendor/github.com/go-jose/go-jose/v4/jws.go | 5 +++--
+ 4 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/vendor/github.com/go-jose/go-jose/v3/jwe.go b/vendor/github.com/go-jose/go-jose/v3/jwe.go
+index 4267ac7..5703ecc 100644
+--- a/vendor/github.com/go-jose/go-jose/v3/jwe.go
++++ b/vendor/github.com/go-jose/go-jose/v3/jwe.go
+@@ -202,10 +202,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
+ 
+ // parseEncryptedCompact parses a message in compact format.
+ func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 5 {
++	// Five parts is four separators
++ 	if strings.Count(input, ".") != 4 {
+ 		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
+ 	}
++	parts := strings.SplitN(input, ".", 5)
+ 
+ 	rawProtected, err := base64URLDecode(parts[0])
+ 	if err != nil {
+diff --git a/vendor/github.com/go-jose/go-jose/v3/jws.go b/vendor/github.com/go-jose/go-jose/v3/jws.go
+index e37007d..30696af 100644
+--- a/vendor/github.com/go-jose/go-jose/v3/jws.go
++++ b/vendor/github.com/go-jose/go-jose/v3/jws.go
+@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
+ 
+ // parseSignedCompact parses a message in compact format.
+ func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 3 {
++	// Three parts is two separators
++ 	if strings.Count(input, ".") != 2 {
+ 		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
+ 	}
++	parts := strings.SplitN(input, ".", 3)
+ 
+ 	if parts[1] != "" && payload != nil {
+ 		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
+diff --git a/vendor/github.com/go-jose/go-jose/v4/jwe.go b/vendor/github.com/go-jose/go-jose/v4/jwe.go
+index 89f03ee..c0941c4 100644
+--- a/vendor/github.com/go-jose/go-jose/v4/jwe.go
++++ b/vendor/github.com/go-jose/go-jose/v4/jwe.go
+@@ -288,10 +288,11 @@ func ParseEncryptedCompact(
+ 	keyAlgorithms []KeyAlgorithm,
+ 	contentEncryption []ContentEncryption,
+ ) (*JSONWebEncryption, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 5 {
++	// Five parts is four separators
++ 	if strings.Count(input, ".") != 4 {
+ 		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
+ 	}
++	parts := strings.SplitN(input, ".", 5)
+ 
+ 	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
+ 	if err != nil {
+diff --git a/vendor/github.com/go-jose/go-jose/v4/jws.go b/vendor/github.com/go-jose/go-jose/v4/jws.go
+index 3a91230..1b0cbc4 100644
+--- a/vendor/github.com/go-jose/go-jose/v4/jws.go
++++ b/vendor/github.com/go-jose/go-jose/v4/jws.go
+@@ -327,10 +327,11 @@ func parseSignedCompact(
+ 	payload []byte,
+ 	signatureAlgorithms []SignatureAlgorithm,
+ ) (*JSONWebSignature, error) {
+-	parts := strings.Split(input, ".")
+-	if len(parts) != 3 {
++	// Three parts is two separators
++ 	if strings.Count(input, ".") != 2 {
+ 		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
+ 	}
++	parts := strings.SplitN(input, ".", 3)
+ 
+ 	if parts[1] != "" && payload != nil {
+ 		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
+-- 
+2.25.1
+
diff --git a/skopeo.spec b/skopeo.spec
index fe006481e8918a511037fe0a133a98228635ac88..2ae5783b940594e2f9c30bc0c2439f989454a435 100644
--- a/skopeo.spec
+++ b/skopeo.spec
@@ -12,13 +12,14 @@ ExcludeArch: ppc64
 Name: skopeo
 Epoch: 1
 Version: 1.16.1
-Release: 1
+Release: 2
 Summary: Work with remote images registries - retrieving information, images, signing content
 License: Apache-2.0
 URL: https://github.com/containers/skopeo
 Source0: https://github.com/containers/skopeo/archive/refs/tags/v1.16.1.tar.gz
 Source1: https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.3.tar.gz
 
+Patch0001:   backport-fix-CVE-2025-27144.patch
 
 BuildRequires: go-srpm-macros git-core pkgconfig(devmapper) make
 BuildRequires: golang >= 1.19
@@ -114,6 +115,12 @@ cp -pav systemtest/* %{buildroot}/%{_datadir}/%{name}/test/system/
 %{_datadir}/%{name}/test
 
 %changelog
+* Fri Mar 28 2025 zhangbowei <zhangbowei@kylinos.cn> - 1:1.16.1-2
+-Type:cve
+-CVE:CVE-2025-27144
+-SUG:NA
+-DESC:backport CVE-2025-27144
+
 * Thu Sep 19 2024 tenglei <tenglei@kylinos.cn> - 1:1.16.1-1
 - Type:Upgrade
 - CVE:NA