diff --git a/CVE-2022-29167.patch b/CVE-2022-29167.patch
new file mode 100644
index 0000000..f7519d6
--- /dev/null
+++ b/CVE-2022-29167.patch
@@ -0,0 +1,121 @@
+From ade134119bf1fdc4909d00f5a952c966f0075ad3 Mon Sep 17 00:00:00 2001
+From: Yaraslau Kurmyza <yarik@mozilla.com>
+Date: Mon, 2 May 2022 13:47:12 +0200
+Subject: [PATCH] Parse URLs using stdlib
+
+---
+ lib/utils.js   | 22 ++++++++++++----------
+ test/server.js | 14 ++++++++++++++
+ test/utils.js  |  6 +++---
+ 3 files changed, 29 insertions(+), 13 deletions(-)
+
+diff --git a/lib/utils.js b/lib/utils.js
+index 60d8219..a2a3094 100644
+--- a/lib/utils.js
++++ b/lib/utils.js
+@@ -4,6 +4,7 @@
+ 
+ const Sntp = require('sntp');
+ const Boom = require('boom');
++const Url = require('url');
+ 
+ 
+ // Declare internals
+@@ -22,12 +23,6 @@ exports.limits = {
+ };
+ 
+ 
+-// Extract host and port from request
+-
+-//                                            $1                            $2
+-internals.hostHeaderRegex = /^(?:(?:\r\n)?\s)*((?:[^:]+)|(?:\[[^\]]+\]))(?::(\d+))?(?:(?:\r\n)?\s)*$/;              // (IPv4, hostname)|(IPv6)
+-
+-
+ exports.parseHost = function (req, hostHeaderName) {
+ 
+     hostHeaderName = (hostHeaderName ? hostHeaderName.toLowerCase() : 'host');
+@@ -40,14 +35,21 @@ exports.parseHost = function (req, hostHeaderName) {
+         return null;
+     }
+ 
+-    const hostParts = hostHeader.match(internals.hostHeaderRegex);
+-    if (!hostParts) {
++    if (hostHeader.indexOf('/') !== -1) {
+         return null;
+     }
+ 
++    let uri;
++    try {
++	uri = new Url.URL('http://' + hostHeader);
++    }
++    catch (err) {
++	return null;
++    }
++
+     return {
+-        name: hostParts[1],
+-        port: (hostParts[2] ? hostParts[2] : (req.connection && req.connection.encrypted ? 443 : 80))
++	name: uri.hostname,
++	port: (uri.port ? uri.port : (req.connection && req.connection.encrypted ? 443 : 80))
+     };
+ };
+ 
+diff --git a/test/server.js b/test/server.js
+index 39e66e6..3ef23d6 100755
+--- a/test/server.js
++++ b/test/server.js
+@@ -551,6 +551,20 @@ describe('Server', () => {
+             });
+         });
+ 
++	it('errors on an bad host header (includes path and query)', async () => {
++
++	     const req = {
++		 method: 'GET',
++		 url: '/resource/4?filter=a',
++		 headers: {
++		     host: 'example.com:8080/path?x=z',
++		     authorization: 'Hawk'
++		 }
++	     };
++
++	     await expect(Hawk.server.authenticate(req, credentialsFunc, { localtimeOffsetMsec: 1353788437000 - Hawk.utils.now() })).to.reject('Invalid Host header');
++	});
++
+         it('errors on an bad host header (pad port)', (done) => {
+ 
+             const req = {
+diff --git a/test/utils.js b/test/utils.js
+index 6182609..98f2422 100755
+--- a/test/utils.js
++++ b/test/utils.js
+@@ -64,7 +64,7 @@ describe('Utils', () => {
+                 method: 'POST',
+                 url: '/resource/4?filter=a',
+                 headers: {
+-                    host: '[123:123:123]',
++		    host: '[123:123::123]',
+                     'content-type': 'text/plain;x=y'
+                 },
+                 connection: {
+@@ -82,7 +82,7 @@ describe('Utils', () => {
+                 method: 'POST',
+                 url: '/resource/4?filter=a',
+                 headers: {
+-                    host: '[123:123:123]:8000',
++			host: '[123:123::123]:8000',
+                     'content-type': 'text/plain;x=y'
+                 },
+                 connection: {
+@@ -92,7 +92,7 @@ describe('Utils', () => {
+ 
+             const host = Hawk.utils.parseHost(req, 'Host');
+             expect(host.port).to.equal('8000');
+-            expect(host.name).to.equal('[123:123:123]');
++            expect(host.name).to.equal('[123:123::123]');
+             done();
+         });
+ 
+-- 
+2.23.0
+
diff --git a/nodejs-hawk.spec b/nodejs-hawk.spec
index 47e1661..e0ca485 100644
--- a/nodejs-hawk.spec
+++ b/nodejs-hawk.spec
@@ -1,11 +1,12 @@
 %global enable_tests 0
 Name:                nodejs-hawk
 Version:             4.1.2
-Release:             2
+Release:             3
 Summary:             HTTP Hawk authentication scheme
 License:             BSD-3-Clause
 URL:                 https://github.com/hueniverse/hawk
 Source0:             https://registry.npmjs.org/hawk/-/hawk-%{version}.tgz
+Patch0:		     CVE-2022-29167.patch
 BuildArch:           noarch
 ExclusiveArch:       %{nodejs_arches} noarch
 BuildRequires:       nodejs-packaging npm(boom) npm(cryptiles) npm(hoek) npm(sntp)
@@ -17,7 +18,7 @@ Hawk is an HTTP authentication scheme using a message authentication code (MAC)
 algorithm to provide partial HTTP request cryptographic verification.
 
 %prep
-%autosetup -n package
+%autosetup -n package -p1
 %nodejs_fixdep cryptiles "^2.0.5"
 %nodejs_fixdep boom "^2.10.1"
 %nodejs_fixdep hoek "^0.9.1"
@@ -45,6 +46,9 @@ cp -pr package.json lib %{buildroot}%{nodejs_sitelib}/hawk
 %{nodejs_sitelib}/hawk
 
 %changelog
+* Tue May 17 2022 houyingchao <houyingchao@h-partners.com> - 4.1.2-3
+- Fix CVE-2022-29167
+
 * Mon May 9 2022 liyanan <liyanan32@h-partners.com> - 4.1.2-2
 - License compliance rectification