diff --git a/pkgs/development/libraries/xmlsec/default.nix b/pkgs/development/libraries/xmlsec/default.nix
index 6b3468e5d57c..18ee99804d3c 100644
--- a/pkgs/development/libraries/xmlsec/default.nix
+++ b/pkgs/development/libraries/xmlsec/default.nix
@@ -1,9 +1,11 @@
 { stdenv, fetchurl, libxml2, gnutls, libxslt, pkgconfig, libgcrypt, libtool
-, openssl, nss, lib, runCommandCC, writeText }:
+# nss_3_53 is used instead of the latest due to a number of issues:
+# https://github.com/lsh123/xmlsec/issues?q=is%3Aissue+is%3Aopen+nss
+, openssl, nss_3_53, lib, runCommandCC, writeText }:
 
 lib.fix (self:
 let
-  version = "1.2.30";
+  version = "1.2.31";
 in
 stdenv.mkDerivation {
   pname = "xmlsec";
@@ -11,7 +13,7 @@ stdenv.mkDerivation {
 
   src = fetchurl {
     url = "https://www.aleksey.com/xmlsec/download/xmlsec1-${version}.tar.gz";
-    sha256 = "1j5bf7ni45jghyrbf7a14wx2pvfara557zyry7g7h8840c5kd11d";
+    sha256 = "mxC8Uswx5PdhYuOXXlDbJrcatJxXHYELMRymJr5aCyY=";
   };
 
   patches = [
@@ -25,11 +27,11 @@ stdenv.mkDerivation {
 
   nativeBuildInputs = [ pkgconfig ];
 
-  buildInputs = [ libxml2 gnutls libxslt libgcrypt libtool openssl nss ];
+  buildInputs = [ libxml2 gnutls libxslt libgcrypt libtool openssl nss_3_53 ];
 
   enableParallelBuilding = true;
   doCheck = true;
-  checkInputs = [ nss.tools ];
+  checkInputs = [ nss_3_53.tools ];
 
   # enable deprecated soap headers required by lasso
   # https://dev.entrouvert.org/issues/18771