Bug 2444057 (CVE-2026-3449) - CVE-2026-3449 @tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with AbortSignal
Summary: CVE-2026-3449 @tootallnate/once: @tootallnate/once: Denial of Service due to ...
Keywords:
Status: NEW
Alias: CVE-2026-3449
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2444203 2444204 2444205 2444206 2444207 2444208 2444209 2444210
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-03 06:01 UTC by OSIDB Bzimport
Modified: 2026-03-03 20:17 UTC (History)
85 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-03 06:01:31 UTC 
Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.
Note You need to log in before you can comment on or make changes to this bug.