The Axios npm package contains a critical SSRF vulnerability (CVE-2025-62718, CVSS 9.1) that allows NO_PROXY blocklist bypass through hostname normalization flaws, enabling requests to reach cloud metadata services and internal network resources. Exploitation has not yet been widely observed (EPSS 0.015%, 3.34th percentile), but the library’s ubiquity across Node.js environments and explicit flagging by Red Hat, SUSE, and AWS Lambda maintainers elevates operational urgency. Organizations should audit all Axios dependencies immediately, apply network-layer egress controls as a compensating measure, and upgrade to the patched version confirmed via GHSA-3p68-rc4w-qgx5 once available.