diff --git a/CHANGES.md b/CHANGES.md
index 0985263ca94..cd091257667 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -20,6 +20,7 @@ Apollo 2.4.0
 * [Refactor: align database ClusterName and NamespaceName fields lengths](https://github.com/apolloconfig/apollo/pull/5263)
 * [Feature: Added the value length limit function for AppId-level configuration items](https://github.com/apolloconfig/apollo/pull/5264)
 * [Fix: ensure clusters order in envClusters open api](https://github.com/apolloconfig/apollo/pull/5277)
+* [Fix: bump xstream from 1.4.20 to 1.4.21 to fix CVE-2024-47072](https://github.com/apolloconfig/apollo/pull/5280)
 * [Feature: Added current limiting function to ConsumerToken](https://github.com/apolloconfig/apollo/pull/5267)
 
 ------------------
diff --git a/pom.xml b/pom.xml
index 31929d5d2bc..93db6c18277 100644
--- a/pom.xml
+++ b/pom.xml
@@ -200,11 +200,11 @@
 				<artifactId>commons-lang3</artifactId>
 				<version>${common-lang3.version}</version>
 			</dependency>
-			<!-- to fix CVE-2022-41966 -->
+			<!-- to fix CVE-2024-47072 -->
 			<dependency>
 				<groupId>com.thoughtworks.xstream</groupId>
 				<artifactId>xstream</artifactId>
-				<version>1.4.20</version>
+				<version>1.4.21</version>
 			</dependency>
 			<!--for test -->
 			<dependency>