diff --git a/CVE-2024-28397.patch b/CVE-2024-28397.patch
new file mode 100644
index 0000000..a784940
--- /dev/null
+++ b/CVE-2024-28397.patch
@@ -0,0 +1,13 @@
+Index: Js2Py-0.74/js2py/constructors/jsobject.py
+===================================================================
+--- Js2Py-0.74.orig/js2py/constructors/jsobject.py
++++ Js2Py-0.74/js2py/constructors/jsobject.py
+@@ -48,7 +48,7 @@ class ObjectMethods:
+             raise MakeError(
+                 'TypeError',
+                 'Object.getOwnPropertyDescriptor called on non-object')
+-        return obj.own.keys()
++        return list(obj.own.keys())
+ 
+     def create(obj):
+         if not (obj.is_object() or obj.is_null()):
diff --git a/python-Js2Py.changes b/python-Js2Py.changes
index 41dd1e7..f3d19d1 100644
--- a/python-Js2Py.changes
+++ b/python-Js2Py.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Jul  1 08:39:07 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add CVE-2024-28397.patch upstream patch.
+  (bsc#1226660, gh#PiotrDabkowski/Js2Py#323)
+
 -------------------------------------------------------------------
 Mon Jul  1 08:19:03 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
 
diff --git a/python-Js2Py.spec b/python-Js2Py.spec
index 3b37844..ef16007 100644
--- a/python-Js2Py.spec
+++ b/python-Js2Py.spec
@@ -30,6 +30,8 @@ Source1:        https://raw.githubusercontent.com/PiotrDabkowski/Js2Py/master/LI
 Patch0:         remove-python-six.patch
 # PATCH-FIX-UPSTREAM python312.patch gh#PiotrDabkowski/Js2Py#327
 Patch1:         python312.patch
+# PATCH-FIX-UPSTREAM CVE-2024-28397.patch gh#PiotrDabkowski/Js2Py#323
+Patch2:         CVE-2024-28397.patch
 BuildRequires:  %{python_module pyjsparser}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  fdupes