diff --git a/pkgs/development/libraries/sqlite/CVE-2022-35737.patch b/pkgs/development/libraries/sqlite/CVE-2022-35737.patch
new file mode 100644
index 000000000000..3837353260a0
--- /dev/null
+++ b/pkgs/development/libraries/sqlite/CVE-2022-35737.patch
@@ -0,0 +1,15 @@
+diff --git a/sqlite3.c b/sqlite3.c
+index eb8d7d5..3918a09 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -30231,8 +30231,8 @@ SQLITE_API void sqlite3_str_vappendf(
+       case etSQLESCAPE:           /* %q: Escape ' characters */
+       case etSQLESCAPE2:          /* %Q: Escape ' and enclose in '...' */
+       case etSQLESCAPE3: {        /* %w: Escape " characters */
+-        int i, j, k, n, isnull;
+-        int needQuote;
++        i64 i, j, k, n;
++        int needQuote, isnull;
+         char ch;
+         char q = ((xtype==etSQLESCAPE3)?'"':'\'');   /* Quote character */
+         char *escarg;
diff --git a/pkgs/development/libraries/sqlite/default.nix b/pkgs/development/libraries/sqlite/default.nix
index 7677406874a5..70b8c777e978 100644
--- a/pkgs/development/libraries/sqlite/default.nix
+++ b/pkgs/development/libraries/sqlite/default.nix
@@ -21,6 +21,8 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-WvB96YK6ZY/ZGgMXDJRfmclx9pVbx53zJmVENz45hpw=";
   };
 
+  patches = [ ./CVE-2022-35737.patch ];
+
   outputs = [ "bin" "dev" "out" ];
   separateDebugInfo = stdenv.isLinux;