diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb
index 919303e3be4..4fea08f0688 100644
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -24,6 +24,10 @@ class SearchController < ApplicationController
       raise Discourse::InvalidParameters.new(:q)
     end
 
+    if @search_term.present? && @search_term.include?("\u0000")
+      raise Discourse::InvalidParameters.new("string contains null byte")
+    end
+
     search_args = {
       type_filter: 'topic',
       guardian: guardian,
@@ -68,6 +72,10 @@ class SearchController < ApplicationController
   def query
     params.require(:term)
 
+    if params[:term].include?("\u0000")
+      raise Discourse::InvalidParameters.new("string contains null byte")
+    end
+
     search_args = { guardian: guardian }
 
     search_args[:type_filter] = params[:type_filter]                 if params[:type_filter].present?
diff --git a/spec/requests/search_controller_spec.rb b/spec/requests/search_controller_spec.rb
index f583be479f7..72dc29a004b 100644
--- a/spec/requests/search_controller_spec.rb
+++ b/spec/requests/search_controller_spec.rb
@@ -197,6 +197,13 @@ describe SearchController do
       expect(response.status).to eq(400)
     end
 
+    it "returns a 400 error if you search for null bytes" do
+      term = "hello\0hello"
+
+      get "/search.json", params: { q: term }
+      expect(response.status).to eq(400)
+    end
+
     it "logs the search term" do
       SiteSetting.log_search_queries = true
       get "/search.json", params: { q: 'bantha' }