CVE-2026-3449

Name of the Vulnerable Software and Affected Versions @tootallnate/once versions prior to 3.0.1

Description The package @tootallnate/once versions prior to 3.0.1 are susceptible to an issue with incorrect control flow scoping in promise resolving when the AbortSignal option is utilized. When the signal is aborted, the Promise remains in a permanently pending state, leading to indefinite hanging of any await or .then() operations. This control-flow leak can potentially result in stalled requests, blocked workers, or reduced application availability.

Recommendations Update @tootallnate/once to version 3.0.1 or later.