CVE-2026-3449 - CVE Alert System

Basic Information

Severity	MEDIUM
Base Score	4.8
CNA	snyk
Published Date	2026-03-03 00:00:01 UTC
Last Modified	2026-03-03 00:00:01 UTC
CVE.org Link	https://www.cve.org/CVERecord?id=CVE-2026-3449
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-3449

Description

Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.

Affected Products

Vendor	Product
n/a	@tootallnate/once

References

https://security.snyk.io/vuln/SNYK-JS-TOOTALLNATEONCE-15250612
https://github.com/TooTallNate/once/issues/8
https://github.com/TooTallNate/once/commit/b9f43cc5259bee2952d91ad3cdbd201a82df448a

Back to Lookup View on CVE.org