VDB

SNYK-JS-TOOTALLNATEONCE-15250612

SNYK-JS-TOOTALLNATEONCE-15250612 PUBLISHED CVSS 4.800000190734863 MEDIUM

## Overview Affected versions of this package are vulnerable to Incorrect Control Flow Scoping in promise resolving when `AbortSignal` option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any `await` or `.then()` usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability. ## Remediation Upgrade `@tootallnate/once` to version 3.0.1 or higher. ## References - [GitHub Commit](https://github.com/TooTallNate/once/commit/b9f43cc5259bee2952d91ad3cdbd201a82df448a) - [GitHub Issue](https://github.com/TooTallNate/once/issues/8)

Risk Scores

CVSS 3.1
4.800000190734863
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P

Affected Products

VendorProductVersions
0

Timeline

  • Feb 2, 2026 CVE Updated
  • Mar 2, 2026 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›