Axios carries two concurrent CVEs affecting Node.js applications: CVE-2026-40175 (CVSS 9.1, critical) enables cloud metadata credential exfiltration via CRLF header injection chained with SSRF, and CVE-2025-62718 (CVSS 8.1, high) allows proxy bypass via NO_PROXY hostname normalization failure that can also reach cloud metadata endpoints — the two vulnerabilities share an attack surface and compound each other’s risk in cloud-hosted environments. Specific affected version ranges are not confirmed from authoritative sources (NVD/OSV) for either CVE as of this rollup; organizations should monitor OSV advisory GHSA-fvcv-3m26-pcqx and GHSA-3p68-rc4w-qgx5 and the official Axios GitHub security advisories for patched version details. Immediate mitigations include enforcing IMDSv2 on all cloud instances, blocking outbound access to 169.254.169.254 at the network layer, and auditing all Node.js services for Axios imports pending confirmed patch availability.