CVE-2026-3449 (Low) detected in once-1.1.2.tgz #287
Description
CVE-2026-3449 - Low Severity Vulnerability
Vulnerable Library - once-1.1.2.tgz
Creates a Promise that waits for a single event
Library home page: https://registry.npmjs.org/@tootallnate/once/-/once-1.1.2.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/node_modules/.pnpm/@TooTallNate+once@1.1.2/node_modules/@tootallnate/once/package.json
Dependency Hierarchy:
- @postgres.ai/ce-4.0.3.tgz (Root Library)
- react-scripts-5.0.1.tgz
- jest-27.5.1.tgz
- core-27.5.1.tgz
- jest-config-27.5.1.tgz
- jest-environment-jsdom-27.5.1.tgz
- jsdom-16.7.0.tgz
- http-proxy-agent-4.0.1.tgz
- ❌ once-1.1.2.tgz (Vulnerable Library)
- http-proxy-agent-4.0.1.tgz
- jsdom-16.7.0.tgz
- jest-environment-jsdom-27.5.1.tgz
- jest-config-27.5.1.tgz
- core-27.5.1.tgz
- jest-27.5.1.tgz
- react-scripts-5.0.1.tgz
Found in base branch: master
Vulnerability Details
Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.
Publish Date: 2026-03-03
URL: CVE-2026-3449
CVSS 3 Score Details (3.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-03
Fix Resolution: @tootallnate/once - 3.0.1
Step up your Open Source Security Game with Mend here