diff --git a/pkgs/applications/networking/irc/quassel/default.nix b/pkgs/applications/networking/irc/quassel/default.nix
index 78646f7a8b2f32..c68f67ab0d94d8 100644
--- a/pkgs/applications/networking/irc/quassel/default.nix
+++ b/pkgs/applications/networking/irc/quassel/default.nix
@@ -4,7 +4,7 @@
 , tag ? "" # tag added to the package name
 , static ? false # link statically
 
-, stdenv, fetchurl, cmake, makeWrapper, dconf
+, stdenv, fetchurl, fetchpatch, cmake, makeWrapper, dconf
 , qtbase, qtscript
 , phonon, libdbusmenu, qca-qt5
 
@@ -32,10 +32,10 @@ assert !buildClient -> !withKDE; # KDE is used by the client only
 
 let
   edf = flag: feature: [("-D" + feature + (if flag then "=ON" else "=OFF"))];
-  source = import ./source.nix { inherit fetchurl; };
+  source = import ./source.nix { inherit fetchurl fetchpatch; };
 
 in with stdenv; mkDerivation rec {
-  inherit (source) src version;
+  inherit (source) src version patches;
 
   name = "quassel${tag}-${version}";
 
diff --git a/pkgs/applications/networking/irc/quassel/source.nix b/pkgs/applications/networking/irc/quassel/source.nix
index f3941ee976e4b2..b66cff296dd012 100644
--- a/pkgs/applications/networking/irc/quassel/source.nix
+++ b/pkgs/applications/networking/irc/quassel/source.nix
@@ -1,4 +1,4 @@
-{ fetchurl }:
+{ fetchurl, fetchpatch }:
 
 rec {
   version = "0.12.4";
@@ -6,4 +6,16 @@ rec {
     url = "https://github.com/quassel/quassel/archive/${version}.tar.gz";
     sha256 = "0q2qlhy1d6glw9pwxgcgwvspd1mkk3yi6m21dx9gnj86bxas2qs2";
   };
+  patches = [
+    (fetchpatch {
+      name = "CVE-XXX-RCE.patch";
+      url = "https://quassel-irc.org/pub/misc/0001-Implement-custom-deserializer-to-add-our-own-sanity-.patch";
+      sha256 = "0w7gx0xhqfb2h1rxlh9q96bdd23szbxdjs3ydmrzzvyxj5sk8dzd";
+    })
+    (fetchpatch {
+      name = "CVE-XXX-DOS.patch";
+      url = "https://quassel-irc.org/pub/misc/0002-Reject-clients-that-attempt-to-login-before-the-core.patch";
+      sha256 = "0is2jf7qppsx2y10f0zazm27lnkam83wpm8wmnfmdxdxj656ifd1";
+    })
+  ];
 }