CVE-2026-3449
Deferred Deferred - Pending Action
Promise Control Flow Hang in @tootallnate/once Before

Publication date: 2026-03-03

Last updated on: 2026-05-19

Assigner: Snyk

Description
Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-05-19
Generated
2026-06-16
AI Q&A
2026-03-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3449
EUVD
EUVD-2026-9278
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tootallnate once to 3.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-705 The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3449 affects versions of the npm package @tootallnate/once prior to 3.0.1 and involves incorrect control flow scoping during promise resolution when the AbortSignal option is used.

Specifically, if the AbortSignal is aborted, the associated Promise remains in a permanently pending state, causing any awaiting or .then() calls to hang indefinitely.

This results in a control-flow leak that can stall requests, block workers, and degrade application availability.

Impact Analysis

This vulnerability can cause applications using the affected package with AbortSignal cancellation to experience hung await or .then() calls.

  • Stalled HTTP request handlers
  • Blocked worker threads or job queues
  • Resource exhaustion over time due to accumulating pending Promises

Overall, this can degrade application availability and potentially lead to Denial of Service (DoS) conditions, especially in concurrency-limited environments.

Compliance Impact

I don't know

Detection Guidance

This vulnerability manifests as Promises remaining in a permanently pending state when the AbortSignal option is used and aborted. Detection involves identifying hung or stalled asynchronous operations that use the @tootallnate/once package with AbortSignal.

To detect this on your system, you can monitor for hung or indefinitely pending Promises in your Node.js application, especially those using the once() function with AbortSignal. Look for stalled HTTP request handlers, blocked worker threads, or job queues that do not complete.

While no specific commands are provided in the resources, you can use debugging or profiling tools to identify Promises that never settle. For example, you might use Node.js debugging tools or logging to trace calls to once() with AbortSignal and check if they hang after aborting the signal.

  • Use Node.js inspector or debugger to trace Promise states.
  • Add logging around calls to once() with AbortSignal to detect if Promises remain pending after abort.
  • Monitor application responsiveness and look for stalled requests or blocked workers.
Mitigation Strategies

The recommended immediate mitigation is to upgrade the @tootallnate/once package to version 3.0.1 or later, where the issue is fixed.

If upgrading is not immediately possible, avoid directly awaiting the once() function with an AbortSignal. Instead, use a workaround such as wrapping the call in Promise.race() with a Promise that rejects on abort to prevent indefinite hanging.

The fix in version 3.0.1 ensures that when the AbortSignal is aborted, the Promise returned by once() is rejected with an AbortError, preventing the Promise from hanging indefinitely.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3449. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart