diff --git a/SPECS/gh/CVE-2024-45337.patch b/SPECS/gh/CVE-2024-45337.patch
new file mode 100644
index 00000000000..868ef502b5d
--- /dev/null
+++ b/SPECS/gh/CVE-2024-45337.patch
@@ -0,0 +1,80 @@
+From 66fd5d19c5ea8c7f4f7ff69bcc93a7c8231ce4cf Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Tue, 3 Dec 2024 09:03:03 -0800
+Subject: [PATCH] ssh: make the public key cache a 1-entry FIFO cache
+
+Users of the the ssh package seem to extremely commonly misuse the
+PublicKeyCallback API, assuming that the key passed in the last call
+before a connection is established is the key used for authentication.
+Some users then make authorization decisions based on this key. This
+property is not documented, and may not be correct, due to the caching
+behavior of the package, resulting in users making incorrect
+authorization decisions about the connection.
+
+This change makes the cache a one entry FIFO cache, making the assumed
+property, that the last call to PublicKeyCallback represents the key
+actually used for authentication, actually hold.
+
+Thanks to Damien Tournoud, Patrick Dawkins, Vince Parker, and
+Jules Duvivier from the Platform.sh / Upsun engineering team
+for reporting this issue.
+
+Fixes golang/go#70779
+Fixes CVE-2024-45337
+
+Change-Id: Ife7c7b4045d8b6bcd7e3a417bdfae370c709797f
+Reviewed-on: https://go-review.googlesource.com/c/crypto/+/635315
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Auto-Submit: Gopher Robot <gobot@golang.org>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Nicola Murino <nicola.murino@gmail.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
+---
+ vendor/golang.org/x/crypto/ssh/server.go | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go
+index c2dfe32..39dcc09 100644
+--- a/vendor/golang.org/x/crypto/ssh/server.go
++++ b/vendor/golang.org/x/crypto/ssh/server.go
+@@ -149,7 +149,7 @@ func (s *ServerConfig) AddHostKey(key Signer) {
+ }
+ 
+ // cachedPubKey contains the results of querying whether a public key is
+-// acceptable for a user.
++// acceptable for a user. This is a FIFO cache.
+ type cachedPubKey struct {
+ 	user       string
+ 	pubKeyData []byte
+@@ -157,7 +157,13 @@ type cachedPubKey struct {
+ 	perms      *Permissions
+ }
+ 
+-const maxCachedPubKeys = 16
++// maxCachedPubKeys is the number of cache entries we store.
++//
++// Due to consistent misuse of the PublicKeyCallback API, we have reduced this
++// to 1, such that the only key in the cache is the most recently seen one. This
++// forces the behavior that the last call to PublicKeyCallback will always be
++// with the key that is used for authentication.
++const maxCachedPubKeys = 1
+ 
+ // pubKeyCache caches tests for public keys.  Since SSH clients
+ // will query whether a public key is acceptable before attempting to
+@@ -179,9 +185,10 @@ func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) {
+ 
+ // add adds the given tuple to the cache.
+ func (c *pubKeyCache) add(candidate cachedPubKey) {
+-	if len(c.keys) < maxCachedPubKeys {
+-		c.keys = append(c.keys, candidate)
++	if len(c.keys) >= maxCachedPubKeys {
++		c.keys = c.keys[1:]
+ 	}
++	c.keys = append(c.keys, candidate)
+ }
+ 
+ // ServerConn is an authenticated SSH connection, as seen from the
+-- 
+2.34.1
+
diff --git a/SPECS/gh/gh.spec b/SPECS/gh/gh.spec
index 4e8e16fa9d3..333a8a65a89 100644
--- a/SPECS/gh/gh.spec
+++ b/SPECS/gh/gh.spec
@@ -1,7 +1,7 @@
 Summary:        GitHub official command line tool
 Name:           gh
 Version:        2.62.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -15,6 +15,8 @@ Source1:        %{name}-%{version}-vendor.tar.gz
 
 Patch0:         0001-Fix-false-negative-in-TestMigrationWriteErrors-when-.patch
 Patch1:         CVE-2024-54132.patch
+Patch2:         CVE-2024-45337.patch
+
 BuildRequires:  golang < 1.23
 BuildRequires:  git
 Requires:       git
@@ -25,10 +27,9 @@ Requires:       git
 GitHub official command line tool.
 
 %prep
-%autosetup -p1 -n cli-%{version}
+%autosetup -p1 -n cli-%{version} -a1
 
 %build
-tar --no-same-owner -xf %{SOURCE1}
 export GOPATH=%{our_gopath}
 # No mod download use vednor cache locally
 export GOFLAGS="-buildmode=pie -trimpath -mod=vendor -modcacherw -ldflags=-linkmode=external"
@@ -57,6 +58,9 @@ make test
 %{_datadir}/zsh/site-functions/_gh
 
 %changelog
+* Wed Jan 08 2025 Muhammad Falak <mwani@microsoft.com> - 2.62.0-3
+- Patch CVE-2024-45337
+
 * Fri Dec 13 2024 Sandeep Karambelkar <skarambelkar@microsoft.com> - 2.62.0-2
 - Patch CVE-2024-54132