For background information, see XXE vulnerability.
This seems to not have been fixed in Jaxb2RootElementHttpMessageConverter when it was fixed in Jaxb2CollectionHttpMessageConverter. The way it is solved in Jaxb2CollectionHttpMessageConverter is by hard coding the property for resolving external entities to false. See
SPR-10806 and the attached patch.
By default the XML parser will parse and replace external entities. Also there is no way to configure how Jaxb2RootElementHttpMessageConverter handles external entities.