Incorrect Control Flow Scoping

CVE-2026-3449

Low

1.9/10

Summary

Versions of the package @tootallnate/once prior to 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or ".then()" usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: NONE
Availability Impact: LOW

CWE-705 - Incorrect Control Flow Scoping

The software does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.

References

Advisory
Issue
Release Note

Advisory Timeline

Published Mar 03, 2026

Incorrect Control Flow Scoping

CVE-2026-3449

Summary

CWE-705 - Incorrect Control Flow Scoping

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS