diff --git a/apache2-CVE-2024-40725.patch b/apache2-CVE-2024-40725.patch
new file mode 100644
index 0000000..e10e658
--- /dev/null
+++ b/apache2-CVE-2024-40725.patch
@@ -0,0 +1,29 @@
+From a7d24b4ea9a6ea35878fd33075365328caafcf91 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Mon, 15 Jul 2024 12:08:30 +0000
+Subject: [PATCH] Merge r1919247 from trunk:
+
+copy the trusted flag from the subrequest
+
+Submitted By: covener
+Reviewed By: covener, ylavic, gbechis
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1919249 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/http/http_request.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/http/http_request.c b/modules/http/http_request.c
+index 71ecc2bbab1..7e9477be1f1 100644
+--- a/modules/http/http_request.c
++++ b/modules/http/http_request.c
+@@ -708,7 +708,7 @@ AP_DECLARE(void) ap_internal_fast_redirect(request_rec *rr, request_rec *r)
+     r->args = rr->args;
+     r->finfo = rr->finfo;
+     r->handler = rr->handler;
+-    ap_set_content_type_ex(r, rr->content_type, AP_REQUEST_IS_TRUSTED_CT(r));
++    ap_set_content_type_ex(r, rr->content_type, AP_REQUEST_IS_TRUSTED_CT(rr));
+     r->content_encoding = rr->content_encoding;
+     r->content_languages = rr->content_languages;
+     r->per_dir_config = rr->per_dir_config;
diff --git a/apache2.changes b/apache2.changes
index ebc16c3..80fc185 100644
--- a/apache2.changes
+++ b/apache2.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Oct  3 02:39:41 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com>
+
+- Apply fix for CVE-2024-40725, bsc#1228097.
+  Patch file added:
+  * apache2-CVE-2024-40725.patch 
+
 -------------------------------------------------------------------
 Wed Oct  2 18:22:25 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com>
 
diff --git a/apache2.spec b/apache2.spec
index 096f5bb..5641349 100644
--- a/apache2.spec
+++ b/apache2.spec
@@ -225,6 +225,8 @@ Patch28:        apache2-CVE-2024-38473-3.patch
 Patch29:        apache2-CVE-2024-38473-4.patch
 # FIX-UPSTREAM: CVE-2024-39884, bsc#1227353: source code disclosure with handlers configured via AddType
 Patch30:        apache2-CVE-2024-39884.patch
+# FIX-UPSTREAM: CVE-2024-40725, bsc#1229087: source code disclosure of local content
+Patch31:        apache2-CVE-2024-40725.patch
 
 # PATCH:  https://marc.info/?l=apache-httpd-users&m=147448312531134&w=2
 Patch100:       apache-test-application-xml-type.patch