diff --git a/CVE-2024-25885.patch b/CVE-2024-25885.patch
new file mode 100644
index 0000000..a705c5e
--- /dev/null
+++ b/CVE-2024-25885.patch
@@ -0,0 +1,49 @@
+From de0fdbdf4224f3277419c2080ca0fd35fd5948a5 Mon Sep 17 00:00:00 2001
+From: David Trupiano <davetrupiano@gmail.com>
+Date: Tue, 22 Oct 2024 15:45:54 -0400
+Subject: [PATCH] fix reDOS CVE in getColor function
+
+---
+ xhtml2pdf/util.py | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/xhtml2pdf/util.py b/xhtml2pdf/util.py
+index ff4ac2a9..dafc1933 100644
+--- a/xhtml2pdf/util.py
++++ b/xhtml2pdf/util.py
+@@ -130,22 +130,31 @@ def getColor(value, default=None):
+     """
+     Convert to color value.
+     This returns a Color object instance from a text bit.
++    Mitigation for ReDoS attack applied by limiting input length and validating input.
+     """
+     if value is None:
+         return None
+     if isinstance(value, Color):
+         return value
+     value = str(value).strip().lower()
++
++    # Limit the length of the value to prevent excessive input causing ReDoS
++    if len(value) > 100:  # Set a reasonable length limit to avoid extreme inputs
++        return default
++
+     if value in {"transparent", "none"}:
+         return default
+     if value in COLOR_BY_NAME:
+         return COLOR_BY_NAME[value]
+     if value.startswith("#") and len(value) == 4:
+         value = "#" + value[1] + value[1] + value[2] + value[2] + value[3] + value[3]
+-    elif rgb_re.search(value):
+-        # e.g., value = "<css function: rgb(153, 51, 153)>", go figure:
+-        r, g, b = (int(x) for x in rgb_re.search(value).groups())
+-        value = f"#{r:02x}{g:02x}{b:02x}"
++    elif rgb_re.match(value):
++        # Use match instead of search to ensure proper regex usage and limit to valid patterns
++        try:
++            r, g, b = (int(x) for x in rgb_re.match(value).groups())
++            value = f"#{r:02x}{g:02x}{b:02x}"
++        except ValueError:
++            pass
+     else:
+         # Shrug
+         pass
diff --git a/python-xhtml2pdf.changes b/python-xhtml2pdf.changes
index 42ffd8d..66e7fcf 100644
--- a/python-xhtml2pdf.changes
+++ b/python-xhtml2pdf.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Dec 18 10:01:41 UTC 2024 - Markéta Machová <mmachova@suse.com>
+
+- Add CVE-2024-25885.patch (bsc#1231408, CVE-2024-25885)
+
 -------------------------------------------------------------------
 Tue Sep 17 02:41:49 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
 
diff --git a/python-xhtml2pdf.spec b/python-xhtml2pdf.spec
index 25551fd..f88763d 100644
--- a/python-xhtml2pdf.spec
+++ b/python-xhtml2pdf.spec
@@ -23,6 +23,8 @@ Summary:        PDF Generator Using HTML and CSS
 License:        Apache-2.0
 URL:            https://github.com/xhtml2pdf/xhtml2pdf
 Source:         https://github.com/xhtml2pdf/xhtml2pdf/archive/refs/tags/v%{version}.tar.gz#/xhtml2pdf-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM https://github.com/xhtml2pdf/xhtml2pdf/pull/784 fix reDOS CVE in getColor function
+Patch0:         CVE-2024-25885.patch
 BuildRequires:  %{python_module base >= 3.8}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}