diff --git a/pre_commit_hooks/check_xml.py b/pre_commit_hooks/check_xml.py
index ff5536b5..9040a2a5 100644
--- a/pre_commit_hooks/check_xml.py
+++ b/pre_commit_hooks/check_xml.py
@@ -4,6 +4,10 @@
 import xml.sax.handler
 from collections.abc import Sequence
 
+import defusedxml
+
+defusedxml.defuse_stdlib()
+
 
 def main(argv: Sequence[str] | None = None) -> int:
     parser = argparse.ArgumentParser()
@@ -15,7 +19,7 @@ def main(argv: Sequence[str] | None = None) -> int:
     for filename in args.filenames:
         try:
             with open(filename, 'rb') as xml_file:
-                xml.sax.parse(xml_file, handler)
+                defusedxml.sax.parse(xml_file, handler)
         except xml.sax.SAXException as exc:
             print(f'{filename}: Failed to xml parse ({exc})')
             retval = 1
diff --git a/setup.cfg b/setup.cfg
index d91f4399..819a8eef 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -18,6 +18,7 @@ classifiers =
 [options]
 packages = find:
 install_requires =
+    defusedxml>=0.8.0rc2
     ruamel.yaml>=0.15
     tomli>=1.1.0;python_version<"3.11"
 python_requires = >=3.10