CVE-2025-62718 (GHSA-3p68-rc4w-qgx5) is a critical-rated SSRF vulnerability (CVSS 9.1) in the Axios npm library resulting from hostname normalization bypass of NO_PROXY controls, enabling requests to reach internal services and cloud IMDS endpoints such as 169.254.169.254. While EPSS is low (0.015%, 3.4th percentile) indicating limited current exploitation activity, the library’s extremely broad deployment across Node.js applications, Lambda functions, and containerized environments means attack surface is wide. Organizations should upgrade to the patched Axios version confirmed in GHSA-3p68-rc4w-qgx5, add network-layer egress controls to restrict application-tier access to internal ranges independent of proxy configuration, and enable IMDSv2 on EC2 instances to limit SSRF-driven credential exposure.