https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59

diff --git a/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java b/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
index 78b1a00..121585e 100644
--- a/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
+++ b/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
@@ -36,6 +36,14 @@ public abstract class DOMDeserializer<T> extends FromStringDeserializer<T>
         } catch(ParserConfigurationException pce) {
             // not much point to do anything; could log but...
         }
+
+        // [databind#2589] add two more settings just in case
+        try {
+            parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        } catch (Throwable t) { } // as per previous one, nothing much to do
+        try {
+            parserFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        } catch (Throwable t) { } // as per previous one, nothing much to do
         DEFAULT_PARSER_FACTORY = parserFactory;
     }