The axios npm library carries two distinct critical-severity CVEs in this rollup: CVE-2025-62718 (CVSS 9.1, GHSA-3p68-rc4w-qgx5) exploits hostname normalization failures in NO_PROXY evaluation to enable SSRF against cloud instance metadata services, while CVE-2026-40175 (CVSS unscored at time of analysis, GHSA-fvcv-3m26-pcqx) chains CRLF injection with SSRF to exfiltrate cloud credentials from AWS, GCP, and Azure IMDS endpoints. Both vulnerabilities target cloud-hosted and containerized Node.js environments and share the same high-impact outcome — unauthorized access to cloud IAM credentials and internal APIs. Organizations should immediately audit all services for axios dependency exposure, enforce IMDSv2-only on AWS EC2 instances as a defense-in-depth control, apply upstream patches per the respective GHSA advisories once confirmed affected version ranges are published, and query cloud audit logs for anomalous IMDS access patterns. Note: CVSS score for CVE-2026-40175 and confirmed affected version ranges for both CVEs were not verified from NVD primary sources at time of analysis; consult OSV advisories GHSA-3p68-rc4w-qgx5 and GHSA-fvcv-3m26-pcqx directly before finalizing remediation scope.