diff --git a/pkgs/development/interpreters/lua-5/CVE-2022-28805.patch b/pkgs/development/interpreters/lua-5/CVE-2022-28805.patch
new file mode 100644
index 000000000000..bcf16acbea42
--- /dev/null
+++ b/pkgs/development/interpreters/lua-5/CVE-2022-28805.patch
@@ -0,0 +1,10 @@
+--- a/src/lparser.c
++++ b/src/lparser.c
+@@ -301,6 +301,7 @@
+     expdesc key;
+     singlevaraux(fs, ls->envn, var, 1);  /* get environment variable */
+     lua_assert(var->k == VLOCAL || var->k == VUPVAL);
++    luaK_exp2anyregup(fs, var);  /* but could be a constant */
+     codestring(ls, &key, varname);  /* key is variable name */
+     luaK_indexed(fs, var, &key);  /* env[varname] */
+   }
diff --git a/pkgs/development/interpreters/lua-5/default.nix b/pkgs/development/interpreters/lua-5/default.nix
index 5230a46afef3..40aa429d8e27 100644
--- a/pkgs/development/interpreters/lua-5/default.nix
+++ b/pkgs/development/interpreters/lua-5/default.nix
@@ -32,7 +32,9 @@ rec {
     sourceVersion = { major = "5"; minor = "2"; patch = "4"; };
     hash = "0jwznq0l8qg9wh5grwg07b5cy3lzngvl5m2nl1ikp6vqssmf9qmr";
     makeWrapper = makeBinaryWrapper;
-    patches = lib.optional stdenv.isDarwin ./5.2.darwin.patch;
+    patches = [
+      ./CVE-2022-28805.patch
+    ] ++ lib.optional stdenv.isDarwin ./5.2.darwin.patch;
   };
 
   lua5_2_compat = lua5_2.override({