Description
Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.
Published: 2026-03-03
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service due to permanently pending promises when AbortSignal is used
Action: Apply Patch
AI Analysis

Impact

Versions of @tootallnate/once earlier than 3.0.1 contain a flaw in how the library handles AbortSignal options. When the signal is aborted, the library fails to execute the proper control flow scoping, leaving the returned promise in a permanently pending state. Any code that awaits the promise or attaches a .then() handler will block indefinitely, potentially exhausting resources or halting further application logic. This behavior leads to degraded application availability and can evolve into a denial‑of‑service scenario if exploited in a long‑running or high‑traffic context.

Affected Systems

The vulnerability affects the Node.js package @tootallnate/once in all releases prior to version 3.0.1. Users whose code imports this package and passes an AbortSignal option while awaiting the resulting promise are susceptible to the issue.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity risk, while the EPSS score of less than 1 % points to a very low probability of exploitation at this time. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is through any JavaScript context that calls once with an AbortSignal – for example, server‑side API handlers or client‑side code that manages request cancellation. Successful exploitation would manifest as infinitely pending promises that consume event loop cycles or worker threads, effectively causing a denial of service.

Generated by OpenCVE AI on April 17, 2026 at 13:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the @tootallnate/once package to version 3.0.1 or later to fix the incorrect control flow scoping flaw (CWE‑1322).
  • If an upgrade is not possible, modify your code to avoid passing an AbortSignal when invoking the library to bypass control‑flow leakage (CWE‑705).
  • Wrap calls to the promise in an explicit timeout or cancellation mechanism so that stalled promises do not block the event loop.

Generated by OpenCVE AI on April 17, 2026 at 13:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vpq2-c234-7xj6 @tootallnate/once vulnerable to Incorrect Control Flow Scoping
History

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Tootallnate
Tootallnate once
Vendors & Products Tootallnate
Tootallnate once

Wed, 04 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Title @tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with AbortSignal
Weaknesses CWE-1322
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 03 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Description Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.
Weaknesses CWE-705
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tootallnate Once
cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2026-03-03T15:31:46.840Z

Reserved: 2026-03-02T17:14:02.496Z

Link: CVE-2026-3449

cve-icon Vulnrichment

Updated: 2026-03-03T15:31:41.721Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-03T05:17:25.017

Modified: 2026-03-03T21:52:29.877

Link: CVE-2026-3449

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-03T05:00:01Z

Links: CVE-2026-3449 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:30:19Z

Weaknesses