diff --git a/pkgs/tools/security/agebox/default.nix b/pkgs/tools/security/agebox/default.nix
index b87cb2b8ca2a..fb75fbf9b093 100644
--- a/pkgs/tools/security/agebox/default.nix
+++ b/pkgs/tools/security/agebox/default.nix
@@ -1,4 +1,4 @@
-{ lib, buildGoModule, fetchFromGitHub }:
+{ lib, buildGoModule, fetchFromGitHub, fetchpatch }:
 
 buildGoModule rec {
   pname = "agebox";
@@ -11,7 +11,16 @@ buildGoModule rec {
     hash = "sha256-W6/v5BIl+k6tMan/Wdua7mHKMsq23QZN13Cy24akJr4=";
   };
 
-  vendorHash = "sha256-PLeNTlQ0OMcupfbVN/KGb0iJYf3Jbcevg8gTcKHpn8s=";
+  patches = [
+    # Update gopkg.in/yaml.v2 to v2.2.8 to fix vulnerabilities.
+    # https://github.com/slok/agebox/pull/199
+    (fetchpatch {
+      url = "https://github.com/slok/agebox/commit/40a515d39911f601ebe05cc914e8a02695d85dc7.patch";
+      hash = "sha256-0iBI0nID12OoWqWY/8MPb3vvTUDe0JdSHu2vefix/bM=";
+    })
+  ];
+
+  vendorHash = "sha256-MNAF2ExIOYPzXyGR6H7lfUEhnMDCyD7ecst5MKm7u+A=";
 
   ldflags = [
     "-s"