diff --git a/pkgs/development/libraries/mbedtls/2.nix b/pkgs/development/libraries/mbedtls/2.nix
index 97d62fad3ced1..42fb6edae78f2 100644
--- a/pkgs/development/libraries/mbedtls/2.nix
+++ b/pkgs/development/libraries/mbedtls/2.nix
@@ -1,6 +1,6 @@
 { callPackage }:
 
 callPackage ./generic.nix {
-  version = "2.28.7";
-  hash = "sha256-JI0Frbz4HkPqrLQNrSIj1ikN8201h4kd1wTwyPotERw=";
+  version = "2.28.8";
+  hash = "sha256-A1DYZrvJ8SRujroVwqPfcTOSgLnT5xRat/RVdq2fL/o=";
 }
diff --git a/pkgs/development/libraries/mbedtls/3.nix b/pkgs/development/libraries/mbedtls/3.nix
index 267349ac5d7be..abba77308a61c 100644
--- a/pkgs/development/libraries/mbedtls/3.nix
+++ b/pkgs/development/libraries/mbedtls/3.nix
@@ -1,6 +1,14 @@
-{ callPackage }:
+{ callPackage, fetchpatch }:
 
 callPackage ./generic.nix {
   version = "3.5.2";
   hash = "sha256-lVGmnSYccNmRS6vfF/fDiny5cYRPc/wJBpgciFLPUvM=";
+
+  patches = [
+    (fetchpatch {
+      name = "CVE-2024-28755.patch";
+      url = "https://github.com/Mbed-TLS/mbedtls/commit/ad736991bb59211118a29fe115367c24495300c2.patch";
+      hash = "sha256-MUnGT2ptlBikpZYL6+cvoF7fOiD2vMK4cbkgevgyl60=";
+    })
+  ];
 }
diff --git a/pkgs/development/libraries/mbedtls/generic.nix b/pkgs/development/libraries/mbedtls/generic.nix
index 2e79a593b7c31..045f59b269eda 100644
--- a/pkgs/development/libraries/mbedtls/generic.nix
+++ b/pkgs/development/libraries/mbedtls/generic.nix
@@ -3,6 +3,7 @@
 , version
 , hash
 , fetchFromGitHub
+, patches ? []
 
 , cmake
 , ninja
@@ -23,6 +24,8 @@ stdenv.mkDerivation rec {
     inherit hash;
   };
 
+  inherit patches;
+
   nativeBuildInputs = [ cmake ninja perl python3 ];
 
   strictDeps = true;