CVE-2026-3449: Incorrect Control Flow Scoping in @tootallnate/once
Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.
AI Analysis
Technical Summary
The vulnerability in @tootallnate/once versions prior to 3.0.1 is due to incorrect control flow scoping in promise resolving when the AbortSignal option is used. When the signal is aborted, the Promise does not resolve or reject but remains in a permanently pending state. This causes any asynchronous code awaiting the Promise or chaining with .then() to hang indefinitely, potentially causing stalled requests and blocking worker threads, which degrades application availability. The CVSS 4.8 score reflects a medium severity impact primarily affecting availability with local attack vector and low privileges required.
Potential Impact
The vulnerability causes promises to hang indefinitely when aborted via AbortSignal, leading to stalled requests and blocked workers. This results in degraded application availability but does not indicate direct code execution or data compromise. There are no known exploits in the wild. The impact is limited to denial of service conditions affecting the affected application components.
Mitigation Recommendations
No explicit patch or official fix information is provided in the available data. The vulnerability affects versions before 3.0.1, indicating that upgrading to version 3.0.1 or later may resolve the issue. Users should verify with the package maintainers or official advisories for confirmed remediation. Until then, consider avoiding use of the AbortSignal option with affected versions or implement application-level timeouts to mitigate indefinite hanging.
CVE-2026-3449: Incorrect Control Flow Scoping in @tootallnate/once
Description
Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.
CVSS v4.0
Score 4.8medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in @tootallnate/once versions prior to 3.0.1 is due to incorrect control flow scoping in promise resolving when the AbortSignal option is used. When the signal is aborted, the Promise does not resolve or reject but remains in a permanently pending state. This causes any asynchronous code awaiting the Promise or chaining with .then() to hang indefinitely, potentially causing stalled requests and blocking worker threads, which degrades application availability. The CVSS 4.8 score reflects a medium severity impact primarily affecting availability with local attack vector and low privileges required.
Potential Impact
The vulnerability causes promises to hang indefinitely when aborted via AbortSignal, leading to stalled requests and blocked workers. This results in degraded application availability but does not indicate direct code execution or data compromise. There are no known exploits in the wild. The impact is limited to denial of service conditions affecting the affected application components.
Mitigation Recommendations
No explicit patch or official fix information is provided in the available data. The vulnerability affects versions before 3.0.1, indicating that upgrading to version 3.0.1 or later may resolve the issue. Users should verify with the package maintainers or official advisories for confirmed remediation. Until then, consider avoiding use of the AbortSignal option with affected versions or implement application-level timeouts to mitigate indefinite hanging.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- snyk
- Date Reserved
- 2026-03-02T17:14:02.496Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69a66f1fd1a09e29cbd3d467
Added to database: 3/3/2026, 5:18:23 AM
Last enriched: 5/5/2026, 2:07:03 AM
Last updated: 6/1/2026, 11:33:00 AM
Views: 143
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.