diff --git a/lib/authorize_net/xml_response.rb b/lib/authorize_net/xml_response.rb
index 8a0c97c..3ac7e4a 100644
--- a/lib/authorize_net/xml_response.rb
+++ b/lib/authorize_net/xml_response.rb
@@ -9,8 +9,9 @@ def initialize(raw_response, transaction)
       unless connection_failure?
         begin
           xml = Nokogiri::XML(@raw_response.body) do |config|
-            # confirm noent is the right flag
-            config.recover.noent.nonet
+            # Security: Do NOT use .noent - it enables entity substitution which allows XXE attacks.
+            # Predefined XML entities (&, <, etc.) are decoded by default without .noent.
+            config.recover.nonet
           end
           @root = xml.children[0]
           @result_code = node_content_unless_nil(@root.at_css('messages resultCode'))