diff --git a/static-build/cmake/AddDependencyProjects.cmake b/static-build/cmake/AddDependencyProjects.cmake
index 9ba17ec9517851864c68010264e24e910eebcbd5..7ed6d3727986a960d11683d05b6578e982cbba94 100644
--- a/static-build/cmake/AddDependencyProjects.cmake
+++ b/static-build/cmake/AddDependencyProjects.cmake
@@ -191,6 +191,7 @@ ExternalProject_Add(readline
         --prefix=<INSTALL_DIR>
         --disable-shared
     PATCH_COMMAND patch -d <SOURCE_DIR> -p0 -i "${PATCHES_DIR}/readline80-001.patch"
+    COMMAND       patch -d <SOURCE_DIR> -p1 -i "${PATCHES_DIR}/readline-tarantool-security-95.patch"
 )
 set(TARANTOOL_DEPENDS readline ${TARANTOOL_DEPENDS})
 
diff --git a/static-build/patches/readline-tarantool-security-95.patch b/static-build/patches/readline-tarantool-security-95.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c4fa559815a95c0ea2d2391b0eed4fd0213572c2
--- /dev/null
+++ b/static-build/patches/readline-tarantool-security-95.patch
@@ -0,0 +1,18 @@
+--- readline.old/histfile.c	2023-02-17 13:01:18.515248292 +0300
++++ readline/histfile.c	2023-02-17 13:02:42.034252562 +0300
+@@ -492,6 +492,7 @@
+   tempname = 0;
+   file = filename ? open (filename, O_RDONLY|O_BINARY, 0666) : -1;
+   rv = exists = 0;
++  orig_lines = lines;
+ 
+   /* Don't try to truncate non-regular files. */
+   if (file == -1 || fstat (file, &finfo) == -1)
+@@ -547,7 +548,6 @@
+       goto truncate_exit;
+     }
+ 
+-  orig_lines = lines;
+   /* Count backwards from the end of buffer until we have passed
+      LINES lines.  bp1 is set funny initially.  But since bp[1] can't
+      be a comment character (since it's off the end) and *bp can't be