{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3449", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2026-03-02T17:14:02.496Z", "datePublished": "2026-03-03T05:00:01.085Z", "dateUpdated": "2026-05-04T05:23:47.062Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P"}, "cvssV4_0": {"version": "4.0", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"}}], "credits": [{"value": "Nanak Singh Khurana", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-705", "description": "Incorrect Control Flow Scoping", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2026-05-04T05:23:47.062Z"}, "descriptions": [{"value": "Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-TOOTALLNATEONCE-15250612"}, {"url": "https://github.com/TooTallNate/once/issues/8"}, {"url": "https://github.com/TooTallNate/once/commit/b9f43cc5259bee2952d91ad3cdbd201a82df448a"}], "affected": [{"product": "@tootallnate/once", "versions": [{"version": "0", "lessThan": "3.0.1", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T15:31:31.197282Z", "id": "CVE-2026-3449", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T15:31:46.840Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3449", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T15:31:31.197282Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T15:31:41.721Z"}}], "cna": {"credits": [{"lang": "en", "value": "Nanak Singh Khurana"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "confidentialityImpact": "NONE"}, "cvssV4_0": {"version": "4.0", "baseScore": 4.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "exploitMaturity": "PROOF_OF_CONCEPT", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "n/a", "product": "@tootallnate/once", "versions": [{"status": "affected", "version": "0", "lessThan": "3.0.1", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-TOOTALLNATEONCE-15250612"}, {"url": "https://github.com/TooTallNate/once/issues/8"}, {"url": "https://github.com/TooTallNate/once/commit/b9f43cc5259bee2952d91ad3cdbd201a82df448a"}], "descriptions": [{"lang": "en", "value": "Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-705", "description": "Incorrect Control Flow Scoping"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2026-05-04T05:23:47.062Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3449", "state": "PUBLISHED", "dateUpdated": "2026-05-04T05:23:47.062Z", "dateReserved": "2026-03-02T17:14:02.496Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2026-03-03T05:00:01.085Z", "assignerShortName": "snyk"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability."}, {"lang": "es", "value": "Versiones del paquete @tootallnate/once anteriores a la 3.0.1 son vulnerables a un Alcance Incorrecto del Flujo de Control en la resoluci\u00f3n de promesas cuando se utiliza la opci\u00f3n AbortSignal. La Promesa permanece en un estado permanentemente pendiente despu\u00e9s de que la se\u00f1al es abortada, causando que cualquier uso de await o .then() se quede colgado indefinidamente. Esto puede causar una fuga en el flujo de control que puede llevar a solicitudes estancadas, workers bloqueados o disponibilidad degradada de la aplicaci\u00f3n."}], "id": "CVE-2026-3449", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "report@snyk.io", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2026-03-03T05:17:25.017", "references": [{"source": "report@snyk.io", "url": "https://github.com/TooTallNate/once/commit/b9f43cc5259bee2952d91ad3cdbd201a82df448a"}, {"source": "report@snyk.io", "url": "https://github.com/TooTallNate/once/issues/8"}, {"source": "report@snyk.io", "url": "https://security.snyk.io/vuln/SNYK-JS-TOOTALLNATEONCE-15250612"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-705"}], "source": "report@snyk.io", "type": "Secondary"}]}

{"bugzilla": {"description": "@tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with AbortSignal", "id": "2444057", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444057"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-1322", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-3449", "package_state": [{"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Fix deferred", "package_name": "openshift-sandboxed-containers/osc-pccs", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Fix deferred", "package_name": "io.cryostat-cryostat", "product_name": "Cryostat 4"}, {"cpe": "cpe:/a:redhat:rhmt:1", "fix_state": "Fix deferred", "package_name": "rhmtc/openshift-migration-ui-rhel8", "product_name": "Migration Toolkit for Containers"}, {"cpe": "cpe:/a:redhat:network_observ_optr:1", "fix_state": "Fix deferred", "package_name": "network-observability/network-observability-console-plugin-compat-rhel9", "product_name": "Network Observability Operator"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines/pipelines-console-plugin-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines/pipelines-hub-api-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines/pipelines-hub-db-migration-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines/pipelines-hub-ui-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines/pipelines-hub-ui-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/kiali-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/kiali-operator-bundle", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/kiali-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/kiali-rhel9-operator", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/thanos-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Fix deferred", "package_name": "org.jolokia-jolokia-parent", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-on-clouds/aoc-azure-aap-installer-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Fix deferred", "package_name": "io.apicurio-apicurio-registry", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Fix deferred", "package_name": "org.optaweb.vehiclerouting-optaweb-vehicle-routing", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "org.infinispan-infinispan-console", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "io.syndesis-syndesis-parent", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.jboss.hal-hal-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Fix deferred", "package_name": "odf4/mcg-core-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/code-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/code-sshd-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-1/argocd-rhel9", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Fix deferred", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "satellite/iop-vulnerability-frontend-rhel9", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-03-03T05:00:01Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3449\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3449\nhttps://github.com/TooTallNate/once/commit/b9f43cc5259bee2952d91ad3cdbd201a82df448a\nhttps://github.com/TooTallNate/once/issues/8\nhttps://security.snyk.io/vuln/SNYK-JS-TOOTALLNATEONCE-15250612"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "@tootallnate/once", "source": "cna", "vendor": "n/a"}, "product": "once", "vendor": "tootallnate"}], "analysis": {"en": {"generated_at": "2026-04-17T13:25:40.904749+00:00", "value": {"mitigation_remediation": ["Upgrade the @tootallnate/once package to version\u00a03.0.1 or later to fix the incorrect control flow scoping flaw (CWE\u20111322).", "If an upgrade is not possible, modify your code to avoid passing an AbortSignal when invoking the library to bypass control\u2011flow leakage (CWE\u2011705).", "Wrap calls to the promise in an explicit timeout or cancellation mechanism so that stalled promises do not block the event loop."], "summary": {"action": "Apply Patch", "impact": "Denial of Service due to permanently pending promises when AbortSignal is used"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Node.js package @tootallnate/once in all releases prior to version 3.0.1. Users whose code imports this package and passes an AbortSignal option while awaiting the resulting promise are susceptible to the issue.", "description_and_impact": "Versions of @tootallnate/once earlier than 3.0.1 contain a flaw in how the library handles AbortSignal options. When the signal is aborted, the library fails to execute the proper control flow scoping, leaving the returned promise in a permanently pending state. Any code that awaits the promise or attaches a .then() handler will block indefinitely, potentially exhausting resources or halting further application logic. This behavior leads to degraded application availability and can evolve into a denial\u2011of\u2011service scenario if exploited in a long\u2011running or high\u2011traffic context.", "risk_and_exploitability": "The CVSS score of 4.8 indicates a moderate severity risk, while the EPSS score of less than 1\u00a0% points to a very low probability of exploitation at this time. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is through any JavaScript context that calls once with an AbortSignal \u2013 for example, server\u2011side API handlers or client\u2011side code that manages request cancellation. Successful exploitation would manifest as infinitely pending promises that consume event loop cycles or worker threads, effectively causing a denial of service."}}}}, "created": "2026-03-04T21:04:07.177186+00:00", "updated": "2026-04-17T13:30:19.603255+00:00", "vendors": ["tootallnate", "tootallnate$PRODUCT$once"]}