Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
Using @tootallnate/once can cause your app to freeze
CVE-2026-3449
GHSA-vpq2-c234-7xj6
GHSA-vpq2-c234-7xj6
Summary
@tootallnate/once versions before 3.0.1 can cause your app to freeze if you use it with certain options. This can lead to slow or unresponsive apps, stalled requests, and even crashed workers. Update to version 3.0.1 or later to fix this issue.
What to do
- Update tootallnate once to version 3.0.1.
- Update tootallnate @tootallnate/once to version 3.0.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| tootallnate | once | <= 3.0.1 | 3.0.1 |
| tootallnate | @tootallnate/once | <= 3.0.1 | 3.0.1 |
Original title
@tootallnate/once vulnerable to Incorrect Control Flow Scoping
Original description
Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.
nvd CVSS3.1
3.3
nvd CVSS4.0
4.8
Vulnerability type
CWE-705
- https://github.com/TooTallNate/once/commit/b9f43cc5259bee2952d91ad3cdbd201a82df4...
- https://github.com/TooTallNate/once/issues/8
- https://security.snyk.io/vuln/SNYK-JS-TOOTALLNATEONCE-15250612
- https://nvd.nist.gov/vuln/detail/CVE-2026-3449
- https://github.com/advisories/GHSA-vpq2-c234-7xj6
- https://github.com/TooTallNate/once Product
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026