CVE-2026-3449
Promise Control Flow Hang in @tootallnate/once Before
Publication date: 2026-03-03
Last updated on: 2026-04-29
Assigner: Snyk
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tootallnate | once | to 3.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-705 | The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3449 affects versions of the npm package @tootallnate/once prior to 3.0.1 and involves incorrect control flow scoping during promise resolution when the AbortSignal option is used.
Specifically, if the AbortSignal is aborted, the associated Promise remains in a permanently pending state, causing any awaiting or .then() calls to hang indefinitely.
This results in a control-flow leak that can stall requests, block workers, and degrade application availability.
How can this vulnerability impact me? :
This vulnerability can cause applications using the affected package with AbortSignal cancellation to experience hung await or .then() calls.
- Stalled HTTP request handlers
- Blocked worker threads or job queues
- Resource exhaustion over time due to accumulating pending Promises
Overall, this can degrade application availability and potentially lead to Denial of Service (DoS) conditions, especially in concurrency-limited environments.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as Promises remaining in a permanently pending state when the AbortSignal option is used and aborted. Detection involves identifying hung or stalled asynchronous operations that use the @tootallnate/once package with AbortSignal.
To detect this on your system, you can monitor for hung or indefinitely pending Promises in your Node.js application, especially those using the once() function with AbortSignal. Look for stalled HTTP request handlers, blocked worker threads, or job queues that do not complete.
While no specific commands are provided in the resources, you can use debugging or profiling tools to identify Promises that never settle. For example, you might use Node.js debugging tools or logging to trace calls to once() with AbortSignal and check if they hang after aborting the signal.
- Use Node.js inspector or debugger to trace Promise states.
- Add logging around calls to once() with AbortSignal to detect if Promises remain pending after abort.
- Monitor application responsiveness and look for stalled requests or blocked workers.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to upgrade the @tootallnate/once package to version 3.0.1 or later, where the issue is fixed.
If upgrading is not immediately possible, avoid directly awaiting the once() function with an AbortSignal. Instead, use a workaround such as wrapping the call in Promise.race() with a Promise that rejects on abort to prevent indefinite hanging.
The fix in version 3.0.1 ensures that when the AbortSignal is aborted, the Promise returned by once() is rejected with an AbortError, preventing the Promise from hanging indefinitely.