From 71c223e688a2110a7c5cd7e533f0b819c866cc1c Mon Sep 17 00:00:00 2001
From: digi-scrypt <digicrypt@gmail.com>
Date: Fri, 5 Jun 2026 20:37:01 +0530
Subject: [PATCH] disable DTDs and external entities in KMIPInputStream

---
 .../java/org/bouncycastle/kmip/wire/KMIPInputStream.java     | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/kmip/src/main/java/org/bouncycastle/kmip/wire/KMIPInputStream.java b/kmip/src/main/java/org/bouncycastle/kmip/wire/KMIPInputStream.java
index 95dae660f3..346938e03d 100644
--- a/kmip/src/main/java/org/bouncycastle/kmip/wire/KMIPInputStream.java
+++ b/kmip/src/main/java/org/bouncycastle/kmip/wire/KMIPInputStream.java
@@ -64,7 +64,10 @@ public class KMIPInputStream
     public KMIPInputStream(InputStream stream)
         throws XMLStreamException
     {
-        this.eventReader = XMLInputFactory.newInstance().createXMLEventReader(stream);
+        XMLInputFactory factory = XMLInputFactory.newInstance();
+        factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+        factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+        this.eventReader = factory.createXMLEventReader(stream);
     }
 
     public KMIPMessage[] parse()