diff --git a/pkgs/development/libraries/qpdf/default.nix b/pkgs/development/libraries/qpdf/default.nix
index 00ce51330487..7622254afd97 100644
--- a/pkgs/development/libraries/qpdf/default.nix
+++ b/pkgs/development/libraries/qpdf/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, libjpeg, zlib, perl }:
+{ stdenv, fetchurl, fetchpatch, libjpeg, zlib, perl }:
 
 let version = "8.0.2";
 in
@@ -14,6 +14,14 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ zlib libjpeg ];
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2018-9918.patch";
+      url = "https://github.com/qpdf/qpdf/commit/b4d6cf6836ce025ba1811b7bbec52680c7204223";
+      sha256 = "0mdqa9w1p6cmli6976v4wi0sw9r4p5prkj7lzfd1877wk11c9c73";
+    })
+  ];
+
   postPatch = ''
     patchShebangs qpdf/fix-qdf
   '';