diff --git a/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/xml/XStreamInitializer.java b/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/xml/XStreamInitializer.java
index 639fcf08d1..5fd7ceb2cb 100644
--- a/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/xml/XStreamInitializer.java
+++ b/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/xml/XStreamInitializer.java
@@ -1,13 +1,18 @@
 package me.chanjar.weixin.common.util.xml;
 
-import java.io.Writer;
-
 import com.thoughtworks.xstream.XStream;
+import com.thoughtworks.xstream.converters.basic.*;
+import com.thoughtworks.xstream.converters.collections.CollectionConverter;
 import com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider;
+import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
 import com.thoughtworks.xstream.core.util.QuickWriter;
 import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
 import com.thoughtworks.xstream.io.xml.PrettyPrintWriter;
 import com.thoughtworks.xstream.io.xml.XppDriver;
+import com.thoughtworks.xstream.security.NoTypePermission;
+import com.thoughtworks.xstream.security.WildcardTypePermission;
+
+import java.io.Writer;
 
 public class XStreamInitializer {
   private static final XppDriver XPP_DRIVER = new XppDriver() {
@@ -41,14 +46,34 @@ public String encodeNode(String name) {
   };
 
   public static XStream getInstance() {
-    XStream xstream = new XStream(new PureJavaReflectionProvider(), XPP_DRIVER);
+    XStream xstream = new XStream(new PureJavaReflectionProvider(), XPP_DRIVER) {
+      // only register the converters we need; other converters generate a private access warning in the console on Java9+...
+      @Override
+      protected void setupConverters() {
+        registerConverter(new NullConverter(), PRIORITY_VERY_HIGH);
+        registerConverter(new IntConverter(), PRIORITY_NORMAL);
+        registerConverter(new FloatConverter(), PRIORITY_NORMAL);
+        registerConverter(new DoubleConverter(), PRIORITY_NORMAL);
+        registerConverter(new LongConverter(), PRIORITY_NORMAL);
+        registerConverter(new ShortConverter(), PRIORITY_NORMAL);
+        registerConverter(new BooleanConverter(), PRIORITY_NORMAL);
+        registerConverter(new ByteConverter(), PRIORITY_NORMAL);
+        registerConverter(new StringConverter(), PRIORITY_NORMAL);
+        registerConverter(new DateConverter(), PRIORITY_NORMAL);
+        registerConverter(new CollectionConverter(getMapper()), PRIORITY_NORMAL);
+        registerConverter(new ReflectionConverter(getMapper(), getReflectionProvider()), PRIORITY_VERY_LOW);
+      }
+    };
     xstream.ignoreUnknownElements();
     xstream.setMode(XStream.NO_REFERENCES);
     XStream.setupDefaultSecurity(xstream);
-    xstream.allowTypesByWildcard(new String[]{
-      "me.chanjar.weixin.**", "cn.binarywang.wx.**", "com.github.binarywang.**"
-    });
+    xstream.autodetectAnnotations(true);
 
+    // setup proper security by limiting which classes can be loaded by XStream
+    xstream.addPermission(NoTypePermission.NONE);
+    xstream.addPermission(new WildcardTypePermission(new String[]{
+      "me.chanjar.weixin.**", "cn.binarywang.wx.**", "com.github.binarywang.**"
+    }));
     xstream.setClassLoader(Thread.currentThread().getContextClassLoader());
     return xstream;
   }