In general, parsers that do not limit recursion-depth and order can be a problem.
Marshalling the data for platform traversal is also very wise. A library like Xalan/xerces using XSLT is very powerful, or something lightweight like the JSON/BSON parser in libbson.
Accordingly, one must assume the data is _always_ malformed, and assign a scoring system to the expected format at each stage of decoding. i.e. each service/function does a sanity check, then scores which data is critical, optional, and prohibited.
This way your infrastructure handles the case when (not if) someone tries to put Coffee Grounds in your garbage disposal unit. =)