PatchSiren cyber security CVE debrief

CVE-2026-3449 TooTallNate CVE debrief

## Summary CVE-2026-3449 is a **LOW-severity** vulnerability (CVSS 4.0: 1.9) in the npm package `@tootallnate/once` affecting versions prior to 3.0.1. The issue involves **Incorrect Control Flow Scoping (CWE-705)** when using the `AbortSignal` option, causing Promises to remain in a permanently pending state after signal abortion. This can lead to stalled requests, blocked workers, or degraded application availability. ## Technical Details The vulnerability occurs in promise resolution logic when an `AbortSignal` is provided. Upon signal abortion, the Promise fails to reject or resolve, leaving it in a hanging state. Any code awaiting this Promise or using `.then()` will block indefinitely, creating a control-flow leak that can accumulate over time and degrade system performance. ## Affected Versions - **Package:** `@tootallnate/once` - **Vulnerable:** < 3.0.1 - **Patched:** 3.0.1 ## Risk Assessment | Factor | Assessment | |--------|-----------| | **Severity** | LOW (CVSS 1.9) | | **Attack Vector** | Local | | **Privileges Required** | Low | | **Availability Impact** | Low | | **Exploitability** | Proof-of-concept exists | | **KEV Listed** | No | The low severity reflects the local attack vector and limited availability impact, though the indefinite hanging behavior poses operational risks in long-running applications. ## Recommended Actions 1. **Upgrade** to `@tootallnate/once` version 3.0.1 or later 2. **Audit dependencies** for transitive usage of vulnerable versions 3. **Implement timeouts** on Promise-based operations as defense-in-depth 4. **Monitor** for stalled requests or worker thread exhaustion in production ## Timeline - **2026-03-03:** CVE published - **2026-05-19:** CVE last modified