diff --git a/CVE-2021-22885.patch b/CVE-2021-22885.patch
new file mode 100644
index 0000000..a77cdaf
--- /dev/null
+++ b/CVE-2021-22885.patch
@@ -0,0 +1,53 @@
+From be6dd1c705551823db13b47ca76b0a6540e21135 Mon Sep 17 00:00:00 2001
+From: Gannon McGibbon <gannon.mcgibbon@shopify.com>
+Date: Thu, 18 Feb 2021 13:17:08 -0500
+Subject: [PATCH] Prevent string polymorphic route arguments
+
+url_for supports building polymorphic URLs via an array
+of arguments (usually symbols and records). If an array is passed,
+strings can result in unwanted route helper calls.
+
+CVE-2021-22885
+---
+ .../action_dispatch/routing/polymorphic_routes.rb    | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/polymorphic_routes.rb b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/polymorphic_routes.rb
+index 6da869c..84b78e1 100644
+--- a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/polymorphic_routes.rb
++++ b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/polymorphic_routes.rb
+@@ -288,10 +288,12 @@ module ActionDispatch
+ 
+             args = []
+ 
+-            route = record_list.map { |parent|
++            route = record_list.map do |parent|
+               case parent
+-              when Symbol, String
++              when Symbol
+                 parent.to_s
++              when String
++                raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
+               when Class
+                 args << parent
+                 parent.model_name.singular_route_key
+@@ -299,12 +301,14 @@ module ActionDispatch
+                 args << parent.to_model
+                 parent.to_model.model_name.singular_route_key
+               end
+-            }
++            end
+ 
+             route <<
+             case record
+-            when Symbol, String
++            when Symbol
+               record.to_s
++            when String
++              raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
+             when Class
+               @key_strategy.call record.model_name
+             else
+-- 
+2.23.0
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index 3d24da9..e51156e 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -4,12 +4,13 @@
 Name:                rubygem-%{gem_name}
 Epoch:               1
 Version:             5.2.4.4
-Release:             1
+Release:             2
 Summary:             Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License:             MIT
 URL:                 http://rubyonrails.org
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1:             https://github.com/rails/rails/archive/v5.2.4.4.tar.gz
+Patch0:              CVE-2021-22885.patch
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2
 %if ! 0%{?bootstrap}
 BuildRequires:       rubygem(activemodel) = %{version} rubygem(activerecord) = %{version}
@@ -33,6 +34,7 @@ Documentation for %{name}.
 %prep
 %setup -q -c -T
 %gem_install -n %{SOURCE0}
+%patch0 -p1
 
 %build
 
@@ -63,7 +65,10 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
-* Mon Feb  8 2021sunguoshuai<sunguoshuai@huawei.com>- 5.2.4.4-1
+* Fri Jun 11 2021 wangyue<wangyue92@huawei.com> - 5.2.4.4-2
+- Fix CVE-2021-22885
+
+* Mon Feb  8 2021 sunguoshuai<sunguoshuai@huawei.com>- 5.2.4.4-1
 - Upgrade to 5.2.4.4
 
 * Sat Aug 8 2020 chengzihan <chengzihan2@huawei.com> - 5.2.3-1