diff --git a/RHEL-136031-fix-bundled-urllib3-CVE-2025-66418.patch b/RHEL-136031-fix-bundled-urllib3-CVE-2025-66418.patch
new file mode 100644
index 0000000..b6533d8
--- /dev/null
+++ b/RHEL-136031-fix-bundled-urllib3-CVE-2025-66418.patch
@@ -0,0 +1,45 @@
+--- a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/response.py	2023-10-17 19:42:56.000000000 +0200
++++ b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/response.py	2026-01-02 11:19:25.583808492 +0100
+@@ -135,8 +135,18 @@
+         they were applied.
+     """
+ 
++    # Maximum allowed number of chained HTTP encodings in the
++    # Content-Encoding header.
++    max_decode_links = 5
++
+     def __init__(self, modes):
+-        self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")]
++        encodings = [m.strip() for m in modes.split(",")]
++        if len(encodings) > self.max_decode_links:
++            raise DecodeError(
++                "Too many content encodings in the chain: "
++                f"{len(encodings)} > {self.max_decode_links}"
++            )
++        self._decoders = [_get_decoder(e) for e in encodings]
+ 
+     def flush(self):
+         return self._decoders[0].flush()
+
+--- a/gcp/google-cloud-sdk/lib/third_party/urllib3/response.py	2023-10-17 19:42:56.000000000 +0200
++++ b/gcp/google-cloud-sdk/lib/third_party/urllib3/response.py	2026-01-02 11:19:25.583808492 +0100
+@@ -135,8 +135,18 @@
+         they were applied.
+     """
+ 
++    # Maximum allowed number of chained HTTP encodings in the
++    # Content-Encoding header.
++    max_decode_links = 5
++
+     def __init__(self, modes):
+-        self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")]
++        encodings = [m.strip() for m in modes.split(",")]
++        if len(encodings) > self.max_decode_links:
++            raise DecodeError(
++                "Too many content encodings in the chain: "
++                f"{len(encodings)} > {self.max_decode_links}"
++            )
++        self._decoders = [_get_decoder(e) for e in encodings]
+ 
+     def flush(self):
+         return self._decoders[0].flush()
diff --git a/resource-agents.spec b/resource-agents.spec
index 37e26fe..77ff255 100644
--- a/resource-agents.spec
+++ b/resource-agents.spec
@@ -73,7 +73,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.9.0
-Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.23
+Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.24
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@@ -196,6 +196,7 @@ Patch1009:	bz1943464-python-pygments-fix-CVE-2021-27291.patch
 Patch1010:	RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch
 Patch1011:	RHEL-104761-aliyun-gcp-fix-bundled-requests-CVE-2024-47081.patch
 Patch1012:	RHEL-50360-setuptools-fix-CVE-2024-6345.patch
+Patch1013:	RHEL-136031-fix-bundled-urllib3-CVE-2025-66418.patch
 
 Obsoletes:	heartbeat-resources <= %{version}
 Provides:	heartbeat-resources = %{version}
@@ -750,6 +751,9 @@ popd
 pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}/gcp/google-cloud-sdk/lib/third_party
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1012}
 popd
+pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1013}
+popd
 %endif
 
 ## tree fixup
@@ -1043,6 +1047,10 @@ ccs_update_schema > /dev/null 2>&1 ||:
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm
 
 %changelog
+* Tue Jan  6 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.24
+- bundled urllib3: fix CVE-2025-66418
+  Resolves: RHEL-136031
+
 * Fri Oct 31 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.23
 - nfsserver: add ability to set e.g. "pipefs-directory=/run/nfs/rpc_pipefs"
   in /etc/nfs.conf to avoid issues with non-clustered Kerberized mounts