What is GHSA-vpq2-c234-7xj6?

GHSA-vpq2-c234-7xj6 is a security advisory published by GitHub Security Advisories with Low severity. @tootallnate/once vulnerable to Incorrect Control Flow Scoping

Which CVE IDs does GHSA-vpq2-c234-7xj6 cover?

GHSA-vpq2-c234-7xj6 covers the following CVE IDs: CVE-2026-3449. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-vpq2-c234-7xj6?

GHSA-vpq2-c234-7xj6 has a CVSS v3 base score of 3.3, published by GitHub Security Advisories.

Which products are affected by GHSA-vpq2-c234-7xj6?

GHSA-vpq2-c234-7xj6 affects 2 products, including: npm/@tootallnate/once:\u003e= 3.0.0, \u003c 3.0.1; npm/@tootallnate/once:\u003c 2.0.1.

GHSA-vpq2-c234-7xj6LowCVSS 3.3

@tootallnate/once vulnerable to Incorrect Control Flow Scoping

Vendor

GitHub Security Advisories

Published

March 3, 2026

Last Modified

May 21, 2026

🔗 CVE IDs covered (1)

CVE-2026-3449 →

📋 Description

Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.

🎯 Affected products2

npm/@tootallnate/once:>= 3.0.0, < 3.0.1
npm/@tootallnate/once:< 2.0.1

🔗 References (6)

https://nvd.nist.gov/vuln/detail/CVE-2026-3449
https://github.com/TooTallNate/once/issues/8
https://github.com/TooTallNate/once/commit/b9f43cc5259bee2952d91ad3cdbd201a82df448a
https://security.snyk.io/vuln/SNYK-JS-TOOTALLNATEONCE-15250612
https://github.com/TooTallNate/once/releases/tag/v2.0.1
https://github.com/advisories/GHSA-vpq2-c234-7xj6