Axios, one of the most widely deployed npm packages in Node.js ecosystems, carries two distinct vulnerabilities this period: a critical SSRF via NO_PROXY hostname normalization bypass (CVE-2025-62718, CVSS 9.1) and a high-severity header injection chain enabling cloud metadata exfiltration (CVE-2026-40175, CVSS 8.6). Both vulnerabilities can expose cloud credentials, IAM tokens, and internal APIs, particularly via AWS IMDSv1 at 169.254.169.254. Immediate mitigations include enforcing IMDSv2 on all cloud instances and auditing all Node.js dependency manifests for affected Axios versions; patch versions should be confirmed against GHSA-3p68-rc4w-qgx5 and GHSA-fvcv-3m26-pcqx before deployment. Note: CVE-2025-62718 has an extremely low EPSS score (0.03rd percentile) while CVE-2026-40175 EPSS is pending; exploitation probability should be reassessed as NVD processes both entries.