diff --git a/SOURCES/squid-3.5.20-CVE-2020-25097.patch b/SOURCES/squid-3.5.20-CVE-2020-25097.patch
new file mode 100644
index 0000000..dec4382
--- /dev/null
+++ b/SOURCES/squid-3.5.20-CVE-2020-25097.patch
@@ -0,0 +1,28 @@
+diff --git a/src/url.cc b/src/url.cc
+index ebdecbf..44255c2 100644
+--- a/src/url.cc
++++ b/src/url.cc
+@@ -256,8 +256,9 @@ urlParse(const HttpRequestMethod& method, char *url, HttpRequest *request)
+             return NULL;
+         *dst = '\0';
+ 
+-        // bug 3074: received 'path' starting with '?', '#', or '\0' implies '/'
+-        if (*src == '?' || *src == '#' || *src == '\0') {
++        // We are looking at path-abempty.
++        if (*src != '/') {
++            // path-empty, including the end of the `src` c-string cases
+             urlpath[0] = '/';
+             dst = &urlpath[1];
+         } else {
+@@ -271,11 +272,6 @@ urlParse(const HttpRequestMethod& method, char *url, HttpRequest *request)
+         /* We -could- be at the end of the buffer here */
+         if (i > l)
+             return NULL;
+-        /* If the URL path is empty we set it to be "/" */
+-        if (dst == urlpath) {
+-            *dst = '/';
+-            ++dst;
+-        }
+         *dst = '\0';
+ 
+         protocol = urlParseProtocol(proto);
diff --git a/SPECS/squid.spec b/SPECS/squid.spec
index 2eab55a..2396ec9 100644
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@@ -4,7 +4,7 @@
 
 Name:     squid
 Version:  3.5.20
-Release:  17%{?dist}.5
+Release:  17%{?dist}.6
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@@ -86,6 +86,8 @@ Patch509: squid-3.5.20-CVE-2020-24606.patch
 Patch510: squid-3.5.20-CVE-2020-15810.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1871702
 Patch511: squid-3.5.20-CVE-2020-15811.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1939925
+Patch512: squid-3.5.20-CVE-2020-25097.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: bash >= 2.0
@@ -185,6 +187,7 @@ migration and script which prepares squid for downgrade operation.
 %patch509 -p1 -b .CVE-2020-24606
 %patch510 -p1 -b .CVE-2020-15810
 %patch511 -p1 -b .CVE-2020-15811
+%patch512 -p1 -b .CVE-2020-25097
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1471140
 # Patch in the vendor documentation and used different location for documentation
@@ -414,6 +417,10 @@ fi
     chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :
 
 %changelog
+* Wed Mar 31 2021 Lubos Uhliarik <luhliari@redhat.com> - 7:3.5.20-17.6
+- Resolves: #1944256 - CVE-2020-25097 squid: improper input validation may allow
+  a trusted client to perform HTTP Request Smuggling
+
 * Mon Oct 26 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:3.5.20-17.5
 - Resolves: #1890581 - Fix for CVE 2019-13345 breaks authentication in
   cachemgr.cgi