CVE-2026-3449

ADVISORY - github

Summary

Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.

EPSS Score⁠: 0.00012 (0.017)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-705⁠

Incorrect Control Flow Scoping

ADVISORY - github

CWE-705⁠

Incorrect Control Flow Scoping

ADVISORY - redhat

CWE-1322⁠

Use of Blocking Code in Single-threaded, Non-blocking Context

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.