Latest commit f081dbf Dec 4, 2015 @njoyce njoyce committed with njoyce Switch to use defusedxml as the default xml loader.
By default, PyAMF will not support potentially vulnerable payloads. See

All the standard XML processing libs that PyAMF previously supported are still supported.

There may be people who use DTD/Entities as part of their AMF payloads - they will have
to continue to use an old version or make an issue to see how their use case can still be