diff --git a/pkgs/development/libraries/libsass/default.nix b/pkgs/development/libraries/libsass/default.nix
index 8168ff0edae4..38ba93d4f7c5 100644
--- a/pkgs/development/libraries/libsass/default.nix
+++ b/pkgs/development/libraries/libsass/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, autoreconfHook }:
+{ stdenv, fetchurl, fetchpatch, autoreconfHook }:
 
 stdenv.mkDerivation rec {
   name = "libsass-${version}";
@@ -9,7 +9,15 @@ stdenv.mkDerivation rec {
     sha256 = "0w47hvzmbdpbjx8j83wn8dwcvglpab8abkszf9xfzrpqvb6wnqaz";
   };
 
-  patchPhase = ''
+  patches = [
+    # CVE-2018-11693, is in master but no release yet
+    (fetchpatch {
+      url = "https://github.com/sass/libsass/commit/af0e12cdf09d43dbd1fc11e3f64b244277cc1a1e.patch";
+      sha256 = "1y8yvjvvz91lcr1kpq2pw8729xhdgp15mbldcw392pfzdlliwdyl";
+    })
+  ];
+
+  preConfigure = ''
     export LIBSASS_VERSION=${version}
   '';