diff --git a/.changeset/floppy-bats-live.md b/.changeset/floppy-bats-live.md
new file mode 100644
index 000000000..72b93f4ca
--- /dev/null
+++ b/.changeset/floppy-bats-live.md
@@ -0,0 +1,6 @@
+---
+"@rnx-kit/tools-windows": patch
+"@rnx-kit/tools-apple": patch
+---
+
+Bumped `fast-xml-parser` to address a security vulnerability
diff --git a/packages/tools-apple/package.json b/packages/tools-apple/package.json
index 8ae8b0abd..6bfe245d7 100644
--- a/packages/tools-apple/package.json
+++ b/packages/tools-apple/package.json
@@ -55,7 +55,7 @@
   },
   "dependencies": {
     "@rnx-kit/tools-shell": "^0.2.2",
-    "fast-xml-parser": "^4.0.0"
+    "fast-xml-parser": "^5.3.4"
   },
   "devDependencies": {
     "@rnx-kit/eslint-config": "*",
diff --git a/packages/tools-windows/package.json b/packages/tools-windows/package.json
index 91c987506..8500988e8 100644
--- a/packages/tools-windows/package.json
+++ b/packages/tools-windows/package.json
@@ -35,7 +35,7 @@
   },
   "dependencies": {
     "@rnx-kit/tools-shell": "^0.2.0",
-    "fast-xml-parser": "^4.0.0"
+    "fast-xml-parser": "^5.3.4"
   },
   "devDependencies": {
     "@rnx-kit/eslint-config": "*",
diff --git a/yarn.lock b/yarn.lock
index 2d57cebf3..06b9262ee 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -5453,7 +5453,7 @@ __metadata:
     "@rnx-kit/tools-shell": "npm:^0.2.2"
     "@rnx-kit/tsconfig": "npm:*"
     "@types/node": "npm:^24.0.0"
-    fast-xml-parser: "npm:^4.0.0"
+    fast-xml-parser: "npm:^5.3.4"
   languageName: unknown
   linkType: soft
 
@@ -5563,7 +5563,7 @@ __metadata:
     "@rnx-kit/tools-shell": "npm:^0.2.0"
     "@rnx-kit/tsconfig": "npm:*"
     "@types/node": "npm:^24.0.0"
-    fast-xml-parser: "npm:^4.0.0"
+    fast-xml-parser: "npm:^5.3.4"
   languageName: unknown
   linkType: soft
 
@@ -9580,6 +9580,17 @@ __metadata:
   languageName: node
   linkType: hard
 
+"fast-xml-parser@npm:^5.3.4":
+  version: 5.3.4
+  resolution: "fast-xml-parser@npm:5.3.4"
+  dependencies:
+    strnum: "npm:^2.1.0"
+  bin:
+    fxparser: src/cli/cli.js
+  checksum: 10c0/d77866ca860ad185153e12f6ba12274d32026319ad8064e4681342b8a8e1ffad3f1f98daf04d77239fb12eb1d906ee7185fd328deda74529680e8dae0f3e9327
+  languageName: node
+  linkType: hard
+
 "fastest-levenshtein@npm:^1.0.7":
   version: 1.0.12
   resolution: "fastest-levenshtein@npm:1.0.12"
@@ -16178,6 +16189,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"strnum@npm:^2.1.0":
+  version: 2.1.2
+  resolution: "strnum@npm:2.1.2"
+  checksum: 10c0/4e04753b793540d79cd13b2c3e59e298440477bae2b853ab78d548138385193b37d766d95b63b7046475d68d44fb1fca692f0a3f72b03f4168af076c7b246df9
+  languageName: node
+  linkType: hard
+
 "sudo-prompt@npm:^9.0.0":
   version: 9.2.1
   resolution: "sudo-prompt@npm:9.2.1"