diff --git a/pkgs/servers/squid/default.nix b/pkgs/servers/squid/default.nix
index 2fdbc29caedf..fde29dc7e80c 100644
--- a/pkgs/servers/squid/default.nix
+++ b/pkgs/servers/squid/default.nix
@@ -1,5 +1,5 @@
 { stdenv, fetchurl, perl, openldap, pam, db, cyrus_sasl, libcap
-, expat, libxml2, openssl }:
+, expat, libxml2, openssl, fetchpatch }:
 
 stdenv.mkDerivation rec {
   name = "squid-3.5.28";
@@ -9,6 +9,14 @@ stdenv.mkDerivation rec {
     sha256 = "1n4f55g56b11qz4fazrnvgzx5wp6b6637c4qkbd1lrjwwqibchgx";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "3.5-CVE-2019-13345.patch";
+      url = "https://github.com/squid-cache/squid/commit/5730c2b5cb56e7639dc423dd62651c8736a54e35.patch";
+      sha256 = "0955432g9a00vwxzcrwpjzx6vywspx1cxhr7bknr7jzbzam5sxi3";
+    })
+  ];
+
   buildInputs = [
     perl openldap db cyrus_sasl expat libxml2 openssl
   ] ++ stdenv.lib.optionals stdenv.isLinux [ libcap pam ];