diff --git a/0002-fix-cve-2024-6257.patch b/0002-fix-cve-2024-6257.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9a83b76503d1a5e413e395e2372294b41f739a6e
--- /dev/null
+++ b/0002-fix-cve-2024-6257.patch
@@ -0,0 +1,208 @@
+From 91bf0f4a648d6656c3c38016337175e483600655 Mon Sep 17 00:00:00 2001
+From: chenxu <chenxu@kylinos.cn>
+Date: Mon, 15 Dec 2025 16:47:41 +0800
+Subject: [PATCH] fix CVE-2024-6257 by updating hashicorp/go-getter to v1.7.5
+
+---
+ go.mod                                        |  2 +-
+ go.sum                                        |  4 +-
+ .../github.com/hashicorp/go-getter/get_git.go | 85 +++++++++++++++----
+ .../github.com/hashicorp/go-getter/netrc.go   |  3 +-
+ vendor/modules.txt                            |  2 +-
+ 5 files changed, 75 insertions(+), 21 deletions(-)
+
+diff --git a/go.mod b/go.mod
+index e7d94bb..1d0aa9c 100644
+--- a/go.mod
++++ b/go.mod
+@@ -38,7 +38,7 @@ require (
+ 	github.com/hashicorp/errwrap v1.1.0
+ 	github.com/hashicorp/go-azure-helpers v0.43.0
+ 	github.com/hashicorp/go-cleanhttp v0.5.2
+-	github.com/hashicorp/go-getter v1.7.3
++	github.com/hashicorp/go-getter v1.7.5
+ 	github.com/hashicorp/go-hclog v1.5.0
+ 	github.com/hashicorp/go-multierror v1.1.1
+ 	github.com/hashicorp/go-plugin v1.4.3
+diff --git a/go.sum b/go.sum
+index beaa0dc..9c830f5 100644
+--- a/go.sum
++++ b/go.sum
+@@ -644,8 +644,8 @@ github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtng
+ github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
+ github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
+ github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
+-github.com/hashicorp/go-getter v1.7.3 h1:bN2+Fw9XPFvOCjB0UOevFIMICZ7G2XSQHzfvLUyOM5E=
+-github.com/hashicorp/go-getter v1.7.3/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744=
++github.com/hashicorp/go-getter v1.7.5 h1:dT58k9hQ/vbxNMwoI5+xFYAJuv6152UNvdHokfI5wE4=
++github.com/hashicorp/go-getter v1.7.5/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744=
+ github.com/hashicorp/go-hclog v0.0.0-20180709165350-ff2cf002a8dd/go.mod h1:9bjs9uLqI8l75knNv3lV1kA55veR+WUPSiKIWcQHudI=
+ github.com/hashicorp/go-hclog v0.8.0/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
+ github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
+diff --git a/vendor/github.com/hashicorp/go-getter/get_git.go b/vendor/github.com/hashicorp/go-getter/get_git.go
+index 908493b..f38e0d2 100644
+--- a/vendor/github.com/hashicorp/go-getter/get_git.go
++++ b/vendor/github.com/hashicorp/go-getter/get_git.go
+@@ -125,7 +125,7 @@ func (g *GitGetter) Get(dst string, u *url.URL) error {
+ 		return err
+ 	}
+ 	if err == nil {
+-		err = g.update(ctx, dst, sshKeyFile, ref, depth)
++		err = g.update(ctx, dst, sshKeyFile, u, ref, depth)
+ 	} else {
+ 		err = g.clone(ctx, dst, sshKeyFile, u, ref, depth)
+ 	}
+@@ -200,7 +200,7 @@ func (g *GitGetter) clone(ctx context.Context, dst, sshKeyFile string, u *url.UR
+ 		args = append(args, "--depth", strconv.Itoa(depth))
+ 		args = append(args, "--branch", ref)
+ 	}
+-	args = append(args, u.String(), dst)
++	args = append(args, "--", u.String(), dst)
+ 
+ 	cmd := exec.CommandContext(ctx, "git", args...)
+ 	setupGitEnv(cmd, sshKeyFile)
+@@ -228,28 +228,64 @@ func (g *GitGetter) clone(ctx context.Context, dst, sshKeyFile string, u *url.UR
+ 	return nil
+ }
+ 
+-func (g *GitGetter) update(ctx context.Context, dst, sshKeyFile, ref string, depth int) error {
+-	// Determine if we're a branch. If we're NOT a branch, then we just
+-	// switch to master prior to checking out
+-	cmd := exec.CommandContext(ctx, "git", "show-ref", "-q", "--verify", "refs/heads/"+ref)
++func (g *GitGetter) update(ctx context.Context, dst, sshKeyFile string, u *url.URL, ref string, depth int) error {
++	// Remove all variations of .git directories
++	err := removeCaseInsensitiveGitDirectory(dst)
++	if err != nil {
++		return err
++	}
++
++	// Initialize the git repository
++	cmd := exec.CommandContext(ctx, "git", "init")
++	cmd.Dir = dst
++	err = getRunCommand(cmd)
++	if err != nil {
++		return err
++	}
++
++	// Add the git remote
++	cmd = exec.CommandContext(ctx, "git", "remote", "add", "origin", "--", u.String())
++	cmd.Dir = dst
++	err = getRunCommand(cmd)
++	if err != nil {
++		return err
++	}
++
++	// Fetch the remote ref
++	cmd = exec.CommandContext(ctx, "git", "fetch", "--tags")
++	cmd.Dir = dst
++	err = getRunCommand(cmd)
++	if err != nil {
++		return err
++	}
++
++	// Fetch the remote ref
++	cmd = exec.CommandContext(ctx, "git", "fetch", "origin", "--", ref)
+ 	cmd.Dir = dst
++	err = getRunCommand(cmd)
++	if err != nil {
++		return err
++	}
+ 
+-	if getRunCommand(cmd) != nil {
+-		// Not a branch, switch to default branch. This will also catch
+-		// non-existent branches, in which case we want to switch to default
+-		// and then checkout the proper branch later.
+-		ref = findDefaultBranch(ctx, dst)
++	// Reset the branch to the fetched ref
++	cmd = exec.CommandContext(ctx, "git", "reset", "--hard", "FETCH_HEAD")
++	cmd.Dir = dst
++	err = getRunCommand(cmd)
++	if err != nil {
++		return err
+ 	}
+ 
+-	// We have to be on a branch to pull
+-	if err := g.checkout(ctx, dst, ref); err != nil {
++	// Checkout ref branch
++	err = g.checkout(ctx, dst, ref)
++	if err != nil {
+ 		return err
+ 	}
+ 
++	// Pull the latest changes from the ref branch
+ 	if depth > 0 {
+-		cmd = exec.CommandContext(ctx, "git", "pull", "--depth", strconv.Itoa(depth), "--ff-only")
++		cmd = exec.CommandContext(ctx, "git", "pull", "origin", "--depth", strconv.Itoa(depth), "--ff-only", "--", ref)
+ 	} else {
+-		cmd = exec.CommandContext(ctx, "git", "pull", "--ff-only")
++		cmd = exec.CommandContext(ctx, "git", "pull", "origin", "--ff-only", "--", ref)
+ 	}
+ 
+ 	cmd.Dir = dst
+@@ -289,7 +325,7 @@ func findDefaultBranch(ctx context.Context, dst string) string {
+ // default branch. "master" is returned if no HEAD symref exists.
+ func findRemoteDefaultBranch(ctx context.Context, u *url.URL) string {
+ 	var stdoutbuf bytes.Buffer
+-	cmd := exec.CommandContext(ctx, "git", "ls-remote", "--symref", u.String(), "HEAD")
++	cmd := exec.CommandContext(ctx, "git", "ls-remote", "--symref", "--", u.String(), "HEAD")
+ 	cmd.Stdout = &stdoutbuf
+ 	err := cmd.Run()
+ 	matches := lsRemoteSymRefRegexp.FindStringSubmatch(stdoutbuf.String())
+@@ -377,3 +413,20 @@ func checkGitVersion(ctx context.Context, min string) error {
+ 
+ 	return nil
+ }
++
++// removeCaseInsensitiveGitDirectory removes all .git directory variations
++func removeCaseInsensitiveGitDirectory(dst string) error {
++	files, err := os.ReadDir(dst)
++	if err != nil {
++		return fmt.Errorf("Failed to read the destination directory %s during git update", dst)
++	}
++	for _, f := range files {
++		if strings.EqualFold(f.Name(), ".git") && f.IsDir() {
++			err := os.RemoveAll(filepath.Join(dst, f.Name()))
++			if err != nil {
++				return fmt.Errorf("Failed to remove the .git directory in the destination directory %s during git update", dst)
++			}
++		}
++	}
++	return nil
++}
+diff --git a/vendor/github.com/hashicorp/go-getter/netrc.go b/vendor/github.com/hashicorp/go-getter/netrc.go
+index c7f6a3f..2fe868a 100644
+--- a/vendor/github.com/hashicorp/go-getter/netrc.go
++++ b/vendor/github.com/hashicorp/go-getter/netrc.go
+@@ -5,6 +5,7 @@ import (
+ 	"net/url"
+ 	"os"
+ 	"runtime"
++	"syscall"
+ 
+ 	"github.com/bgentry/go-netrc/netrc"
+ 	"github.com/mitchellh/go-homedir"
+@@ -38,7 +39,7 @@ func addAuthFromNetrc(u *url.URL) error {
+ 	// If the file is not a file, then do nothing
+ 	if fi, err := os.Stat(path); err != nil {
+ 		// File doesn't exist, do nothing
+-		if os.IsNotExist(err) {
++		if serr, ok := err.(*os.PathError); ok && (os.IsNotExist(serr.Err) || serr.Err == syscall.ENOTDIR) {
+ 			return nil
+ 		}
+ 
+diff --git a/vendor/modules.txt b/vendor/modules.txt
+index e03f17e..1bf22bd 100644
+--- a/vendor/modules.txt
++++ b/vendor/modules.txt
+@@ -620,7 +620,7 @@ github.com/hashicorp/go-azure-helpers/storage
+ # github.com/hashicorp/go-cleanhttp v0.5.2
+ ## explicit; go 1.13
+ github.com/hashicorp/go-cleanhttp
+-# github.com/hashicorp/go-getter v1.7.3
++# github.com/hashicorp/go-getter v1.7.5
+ ## explicit; go 1.13
+ github.com/hashicorp/go-getter
+ github.com/hashicorp/go-getter/helper/url
+-- 
+2.25.1
+
diff --git a/opentofu.spec b/opentofu.spec
index 22604c6fad916cbb41bb3a3741d2a42c83b4bd5c..348cdbaf462a4dd3e07d0a613e12edef3c058358 100644
--- a/opentofu.spec
+++ b/opentofu.spec
@@ -2,13 +2,14 @@
 
 Name:           opentofu
 Version:        1.6.2
-Release:        2
+Release:        3
 Summary:        OpenTofu lets you declaratively manage your cloud infrastructure
 License:        0BSD AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND MIT AND MPL-2.0
 URL:            https://github.com/opentofu/opentofu
 Source0:        https://github.com/opentofu/opentofu/archive/refs/tags/v%{version}.tar.gz
 Source1:        %{name}-%{version}-vendor.tar.gz
 Patch0001:      0001-backport-support-lower-case-http_proxy-or-https_proxy-env-variables-in-S3-backend.patch
+Patch0002:      0002-fix-cve-2024-6257.patch
 
 BuildRequires:  golang >= 1.20
 
@@ -44,6 +45,9 @@ done
 %{_bindir}/tofu
 
 %changelog
+* Mon Dec 15 2025 chenxu <chenxu@kylinos.cn> - 1.6.2-3
+- fix CVE-2024-6257
+
 * Thu Apr 10 2025 lijian <lijian2@kylinos.cn> - 1.6.2-2
 - Backport: support lower-case http/https_proxy env variables in S3 backend