diff --git a/backport-CVE-2025-49809.patch b/backport-CVE-2025-49809.patch
new file mode 100644
index 0000000000000000000000000000000000000000..5cc7da4e115dcf7daecb83048e6160164e226611
--- /dev/null
+++ b/backport-CVE-2025-49809.patch
@@ -0,0 +1,35 @@
+From 5226f105f087c29d3cfad9f28000e7536af91ac6 Mon Sep 17 00:00:00 2001
+From: "R.E. Wolff" <R.E.Wolff@BitWizard.nl>
+Date: Sun, 29 Jun 2025 14:06:00 +0200
+Subject: [PATCH] Added protection against use of MTR_PACKET under special
+ circumstances
+
+---
+ ui/cmdpipe.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/ui/cmdpipe.c b/ui/cmdpipe.c
+index 81acb9c8..bd5606a5 100644
+--- a/ui/cmdpipe.c
++++ b/ui/cmdpipe.c
+@@ -220,10 +220,17 @@ void execute_packet_child(
+        the path to the mtr-packet executable.  This is necessary
+        for debugging changes for mtr-packet.
+      */
+-    char *mtr_packet_path = getenv("MTR_PACKET");
+-    if (mtr_packet_path == NULL) {
++    char * mtr_packet_path = NULL;
++
++    // In the rare case that mtr-packet is not setuid-root,
++    // and a select group of users has sudo privileges to run
++    // mtr and not much else, THEN create /etc/mtr.is.run.under.sudo
++    // to prevent a privilege escalation when one of those accounts
++    // is compromised.  CVE-2025-49809
++    if (access ("/etc/mtr.is.run.under.sudo", F_OK) != 0)
++        mtr_packet_path = getenv("MTR_PACKET");
++    if (mtr_packet_path == NULL)
+         mtr_packet_path = "mtr-packet";
+-    }
+ 
+     /*
+        First, try to execute mtr-packet from PATH
diff --git a/mtr.spec b/mtr.spec
index 0204541d5cda4a7d4ee60320a45cd6559d94f35a..64564a69e1b03a7d59891965003d8217e698d372 100644
--- a/mtr.spec
+++ b/mtr.spec
@@ -2,7 +2,7 @@
 
 Name:          mtr
 Version:       0.95
-Release:       3
+Release:       4
 Epoch:         2
 Summary:       Ping and Traceroute Network Diagnostic Tool
 License:       GPLv2 and BSD
@@ -10,6 +10,9 @@ URL:           https://www.bitwizard.nl/mtr/
 Source0:       https://github.com/traviscross/mtr/archive/v%{version}/%{name}-%{version}.tar.gz
 Source1:       net-x%{name}.desktop
 Source2:       mtr-gtk-pkexec-wrapper.sh
+
+Patch01:       backport-CVE-2025-49809.patch
+
 BuildRequires: git autoconf automake libtool ncurses-devel gtk3-devel desktop-file-utils
 
 %if %{?openEuler:1}0
@@ -89,6 +92,12 @@ make test
 %{_mandir}/man8/*
 
 %changelog
+* Fri Jul 04 2025 xuchenchen <xuchenchen@kylinos.cn> - 2:0.95-4
+- Type:CVES
+- ID:CVE-2025-49809
+- SUG:NA
+- DESC:backport CVE-2025-49809
+
 * Thu Aug 29 2024 yanglu <yanglu72@h-partners.com> - 2:0.95-3
 - Type:bugfix
 - CVE:NA