Fluid Attacks Database

Description

@tootallnate/once vulnerable to Incorrect Control Flow Scoping Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	@tootallnate/once	>=3.0.0 <3.0.1 \|\| >=0 <2.0.1	3.0.1, 2.0.1
rpm rhel9	pcs	-	-

Aliases

1. CVE-2026-34492. NVD-2026-34493. OSV-2026-34494. GCVE-2026-3449

References

1. https://github.com/TooTallNate/once/issues/82. https://github.com/TooTallNate/once/commit/b9f43cc5259bee2952d91ad3cdbd201a82df448a3. https://github.com/TooTallNate/once/releases/tag/v2.0.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.