diff --git a/fake-gcs-server-1.52.1.tar.gz b/fake-gcs-server-1.52.1.tar.gz
deleted file mode 100644
index e2df759..0000000
--- a/fake-gcs-server-1.52.1.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:baaf9b15a8a566528f741b7d21a3666c2d32d35e3e0cd55c3fda40b92e443a72
-size 120334
diff --git a/fake-gcs-server-1.52.2.tar.gz b/fake-gcs-server-1.52.2.tar.gz
new file mode 100644
index 0000000..1ecd157
--- /dev/null
+++ b/fake-gcs-server-1.52.2.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:72286d7db3b9b08c64821dff758baba0b9836876c8f553d281974dfb5525f65e
+size 121303
diff --git a/fake-gcs-server.changes b/fake-gcs-server.changes
index 88c7771..a4ea3ed 100644
--- a/fake-gcs-server.changes
+++ b/fake-gcs-server.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Tue Mar 11 08:23:03 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Update to 1.52.2:
+  - fix: typos
+  - Use default temporary directory in tests
+  - Go 1.24 is out, drop Go 1.22
+- bsc#1239200 (CVE-2025-22868): revendor
+  to use golang.org/x/oauth2 v0.28.0
+  (https://pkg.go.dev/vuln/GO-2025-3488).
+
 -------------------------------------------------------------------
 Tue Jan 28 22:48:18 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
 
diff --git a/fake-gcs-server.spec b/fake-gcs-server.spec
index b179bb1..6449288 100644
--- a/fake-gcs-server.spec
+++ b/fake-gcs-server.spec
@@ -21,13 +21,16 @@
 %global provider_prefix github.com/fsouza/fake-gcs-server/fakestorage
 %global import_path     %{provider_prefix}
 Name:           fake-gcs-server
-Version:        1.52.1
+Version:        1.52.2
 Release:        0
 Summary:        Google Cloud Storage emulator & testing library
 License:        BSD-2-Clause
 URL:            https://github.com/fsouza/fake-gcs-server
 Source0:        https://github.com/fsouza/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:        vendor.tar.xz
+# PATCH-FIX-UPSTREAM update-golang-oauth2.patch bsc#[0-9]+ mcepl@suse.com
+# update vendored golang-oauth2 (CVE-2025-22868, GO-2025-3488)
+Patch0:         update-golang-oauth2.patch
 BuildRequires:  fdupes
 BuildRequires:  go >= 1.23.0
 BuildRequires:  golang-packaging
diff --git a/update-golang-oauth2.patch b/update-golang-oauth2.patch
new file mode 100644
index 0000000..2bd3660
--- /dev/null
+++ b/update-golang-oauth2.patch
@@ -0,0 +1,41 @@
+---
+ go.mod |    6 ++++--
+ go.sum |    4 ++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+Index: fake-gcs-server-1.52.2/go.mod
+===================================================================
+--- fake-gcs-server-1.52.2.orig/go.mod	2025-02-16 04:33:40.000000000 +0100
++++ fake-gcs-server-1.52.2/go.mod	2025-03-11 10:36:31.416633475 +0100
+@@ -10,7 +10,7 @@
+ 	github.com/minio/minio-go/v7 v7.0.86
+ 	github.com/pkg/xattr v0.4.10
+ 	github.com/stretchr/testify v1.10.0
+-	golang.org/x/oauth2 v0.26.0
++	golang.org/x/oauth2 v0.28.0
+ 	google.golang.org/api v0.215.0
+ )
+ 
+@@ -77,4 +77,6 @@
+ 	gopkg.in/yaml.v3 v3.0.1 // indirect
+ )
+ 
+-go 1.23
++go 1.23.0
++
++toolchain go1.24.1
+Index: fake-gcs-server-1.52.2/go.sum
+===================================================================
+--- fake-gcs-server-1.52.2.orig/go.sum	2025-02-16 04:33:40.000000000 +0100
++++ fake-gcs-server-1.52.2/go.sum	2025-03-11 10:36:39.413614515 +0100
+@@ -187,8 +187,8 @@
+ golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
+ golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
+ golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+-golang.org/x/oauth2 v0.26.0 h1:afQXWNNaeC4nvZ0Ed9XvCCzXM6UHJG7iCg0W4fPqSBE=
+-golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
++golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
++golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+ golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
diff --git a/vendor.tar.xz b/vendor.tar.xz
index 77759c9..21bc890 100644
--- a/vendor.tar.xz
+++ b/vendor.tar.xz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:8504fb34cdaaddfa598e4a5700c4db83006ac35ca5431eb099f25f0c79284598
-size 3883388
+oid sha256:6262d97fe5062b8eb4c07289544ef32eefbb7ab5b06881f054477b1ffde5ae76
+size 4097620