diff --git a/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
index 8598571120..a93f3b2db6 100644
--- a/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
+++ b/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
@@ -80,8 +80,9 @@ import org.springframework.util.xml.StaxUtils;
* {@code XStreamMarshaller} to unmarshal XML from external sources (i.e. the Web),
* as this can result in security vulnerabilities. If you do use the
* {@code XStreamMarshaller} to unmarshal external XML, set the
- * {@link #setConverters(ConverterMatcher[]) converters} and
- * {@link #setSupportedClasses(Class[]) supportedClasses} properties or override the
+ * {@link #setSupportedClasses(Class[]) supportedClasses} and
+ * {@link #setConverters(ConverterMatcher[]) converters} properties (possibly using a
+ * {@link CatchAllConverter} as the last converter in the list) or override the
* {@link #customizeXStream(XStream)} method to make sure it only accepts the classes
* you want it to support.
*
diff --git a/src/reference/docbook/oxm.xml b/src/reference/docbook/oxm.xml
index 1a7cbac17c..608b847f26 100644
--- a/src/reference/docbook/oxm.xml
+++ b/src/reference/docbook/oxm.xml
@@ -766,6 +766,9 @@ public class Application {
Additionally, you can register
custom converters to make sure that only your supported classes can be unmarshalled.
+ You might want to add a CatchAllConverter as the last converter in the list,
+ in addition to converters that explicitly support the domain classes that should be supported.
+ As a result, default XStream converters with lower priorities and possible security vulnerabilities do not get invoked.