diff --git a/backport-CVE-2022-22577.patch b/backport-CVE-2022-22577.patch
new file mode 100644
index 0000000..994276f
--- /dev/null
+++ b/backport-CVE-2022-22577.patch
@@ -0,0 +1,38 @@
+From d2253115ac2b30f5f7210670af906cebf79cf809 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron@rubyonrails.org>
+Date: Tue, 8 Mar 2022 13:23:15 -0800
+Subject: [PATCH] Merge pull request #44635 from imtayadeway/tjw/api-csp-i
+
+Generate content security policy for non-HTML responses
+---
+ lib/action_dispatch/http/content_security_policy.rb | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/lib/action_dispatch/http/content_security_policy.rb b/lib/action_dispatch/http/content_security_policy.rb
+index 6f9fb11..a1d0740 100644
+--- a/lib/action_dispatch/http/content_security_policy.rb
++++ b/lib/action_dispatch/http/content_security_policy.rb
+@@ -17,7 +17,6 @@ module ActionDispatch #:nodoc:
+         request = ActionDispatch::Request.new env
+         _, headers, _ = response = @app.call(env)
+ 
+-        return response unless html_response?(headers)
+         return response if policy_present?(headers)
+ 
+         if policy = request.content_security_policy
+@@ -31,12 +30,6 @@ module ActionDispatch #:nodoc:
+ 
+       private
+ 
+-        def html_response?(headers)
+-          if content_type = headers[CONTENT_TYPE]
+-            content_type =~ /html/
+-          end
+-        end
+-
+         def header_name(request)
+           if request.content_security_policy_report_only
+             POLICY_REPORT_ONLY
+-- 
+2.27.0
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index cc21848..1963981 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -4,7 +4,7 @@
 Name:                rubygem-%{gem_name}
 Epoch:               1
 Version:             5.2.4.4
-Release:             6
+Release:             7
 Summary:             Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License:             MIT
 URL:                 http://rubyonrails.org
@@ -20,6 +20,8 @@ Patch3:              CVE-2023-22795.patch
 Patch3000:           CVE-2022-23633.patch
 Patch3001:           backport-CVE-2024-41128.patch
 Patch3002:           backport-CVE-2024-47887.patch
+# https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
+Patch3003:           backport-CVE-2022-22577.patch
 
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2
 %if ! 0%{?bootstrap}
@@ -53,6 +55,7 @@ Documentation for %{name}.
 pushd .%{gem_instdir}
 %patch3001 -p1
 %patch3002 -p1
+%patch3003 -p1
 popd
 
 %build
@@ -84,6 +87,9 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
+* Mon Nov 4 2024 yinzeqiang <yinzeqiang@chinaredflag.cn> - 1:5.2.4.4-7
+- Fix CVE-2022-22577
+
 * Thu Oct 17 2024 yaoxin <yao_xin001@hoperun.com> - 1:5.2.4.4-6
 - Fix CVE-2024-41128 and CVE-2024-47887