diff --git a/debian/changelog b/debian/changelog
index 701dbd8..d4df108 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+libscram-java (2.1-1+deepin) unstable; urgency=medium
+
+  * Fix CVE-2025-59432: timing side-channel in SCRAM authentication.
+
+ -- deepin-ci-robot <packages@deepin.org>  Mon, 27 Apr 2026 19:34:34 +0800
+
 libscram-java (2.1-1) unstable; urgency=medium
 
   * New upstream version 2.1.
diff --git a/debian/patches/CVE-2025-59432-fix-timing-side-channel.patch b/debian/patches/CVE-2025-59432-fix-timing-side-channel.patch
new file mode 100644
index 0000000..cc469b7
--- /dev/null
+++ b/debian/patches/CVE-2025-59432-fix-timing-side-channel.patch
@@ -0,0 +1,48 @@
+From: Security Fix <security@debian.org>
+Date: Mon, 27 Apr 2026 11:24:00 +0000
+Subject: Fix timing side-channel vulnerability in SCRAM authentication
+
+Replace Arrays.equals() with MessageDigest.isEqual() in ScramFunctions.java
+to prevent timing side-channel attacks during credential verification.
+
+Arrays.equals() performs a short-circuit comparison that leaks timing
+information, while MessageDigest.isEqual() performs a constant-time
+comparison that is resistant to timing attacks.
+
+CVE-2025-59432
+Upstream-fix: https://github.com/ongres/scram/commit/e0b0cf99f05406a0d26682c72fcb5728e95124b3
+
+---
+ .../ongres/scram/common/ScramFunctions.java  | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/common/src/main/java/com/ongres/scram/common/ScramFunctions.java b/common/src/main/java/com/ongres/scram/common/ScramFunctions.java
+index 1111111..2222222 100644
+--- a/common/src/main/java/com/ongres/scram/common/ScramFunctions.java
++++ b/common/src/main/java/com/ongres/scram/common/ScramFunctions.java
+@@ -28,7 +28,7 @@ package com.ongres.scram.common;
+ import com.ongres.scram.common.util.CryptoUtil;
+ 
+ import java.nio.charset.StandardCharsets;
+-import java.util.Arrays;
++import java.security.MessageDigest;
+ 
+ /**
+  * Utility functions (e.g. crypto) for SCRAM.
+@@ -231,7 +231,7 @@ public class ScramFunctions {
+         byte[] clientKey = CryptoUtil.xor(clientSignature, clientProof);
+         byte[] computedStoredKey = hash(scramMechanism, clientKey);
+ 
+-        return Arrays.equals(storedKey, computedStoredKey);
++        return MessageDigest.isEqual(storedKey, computedStoredKey);
+     }
+ 
+     /**
+@@ -245,6 +245,6 @@ public class ScramFunctions {
+     public static boolean verifyServerSignature(
+             ScramMechanism scramMechanism, byte[] serverKey, String authMessage, byte[] serverSignature
+     ) {
+-        return Arrays.equals(serverSignature(scramMechanism, serverKey, authMessage), serverSignature);
++        return MessageDigest.isEqual(serverSignature(scramMechanism, serverKey, authMessage), serverSignature);
+     }
+ }
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..9e7237c
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2025-59432-fix-timing-side-channel.patch