diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1eeefdc1..e2a3bbc6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- XML validator no longer hangs on recursive DTD entity expansion (closes #503).
 - TOML files with duplicate keys are now rejected as invalid (closes #504).
 - Broken symlinks are reported as validation failures instead of aborting the run (closes #505)
 - Repeating the same `--reporter` type with different output paths now writes each requested output.
diff --git a/pkg/validator/validator_test.go b/pkg/validator/validator_test.go
index 4e3178c0..d169b7cd 100644
--- a/pkg/validator/validator_test.go
+++ b/pkg/validator/validator_test.go
@@ -1180,3 +1180,16 @@ func Test_JustfileValidateValid(t *testing.T) {
 	require.True(t, valid)
 	require.NoError(t, err)
 }
+
+func Test_XMLRecursiveEntityDoesNotHang(t *testing.T) {
+	t.Parallel()
+	recursive := []byte(`<?xml version="1.0"?>
+<!DOCTYPE foo [
+<!ENTITY a "&b;">
+<!ENTITY b "&a;">
+]>
+<foo>&a;</foo>`)
+	valid, err := XMLValidator{}.ValidateSyntax(recursive)
+	require.False(t, valid)
+	require.Error(t, err)
+}
diff --git a/pkg/validator/xml.go b/pkg/validator/xml.go
index 4fed0828..d03194c1 100644
--- a/pkg/validator/xml.go
+++ b/pkg/validator/xml.go
@@ -9,6 +9,7 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/lestrrat-go/helium"
 	"github.com/lestrrat-go/helium/xsd"
@@ -30,7 +31,8 @@ func (XMLValidator) ValidateXSD(b []byte, schemaPath string) (bool, error) {
 }
 
 func (XMLValidator) ValidateSyntax(b []byte) (bool, error) {
-	ctx := context.Background()
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
 	_, err := helium.NewParser().ValidateDTD(true).Parse(ctx, b)
 	if err != nil {
 		errMsg := err.Error()