The Axios npm package carries two distinct SSRF vulnerabilities this period: CVE-2025-62718 (CVSS 9.1, GHSA-3p68-rc4w-qgx5) enables NO_PROXY hostname normalization bypass to reach internal services and cloud IMDS endpoints, while CVE-2026-40175 (CVSS 8.1, GHSA-fvcv-3m26-pcqx) enables header injection to exfiltrate cloud instance credentials from IMDSv1 endpoints including AWS IAM role tokens. Both vulnerabilities affect server-side Node.js environments; affected version ranges are unconfirmed from available sources for both CVEs and must be verified at NVD and their respective GitHub Security Advisories before patching. Organizations should enforce IMDSv2 on all EC2 instances immediately as a compensating control, audit all Node.js applications importing Axios for exposure, and rotate cloud credentials for any services where IMDS access cannot be ruled out.