The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-3449

CVE-2026-3449: @tootallnate/once Package DoS Vulnerability

CVE-2026-3449 is a denial of service flaw in the @tootallnate/once package affecting versions before 3.0.1. It causes promises to hang indefinitely when AbortSignal is used, leading to stalled requests and blocked workers.

Published: March 6, 2026

CVE-2026-3449 Overview

CVE-2026-3449 is an Incorrect Control Flow Scoping vulnerability affecting versions of the @tootallnate/once npm package before 3.0.1. The vulnerability occurs in promise resolving when the AbortSignal option is used. When a signal is aborted, the Promise remains in a permanently pending state, causing any await or .then() usage to hang indefinitely. This behavior can lead to control-flow leaks that result in stalled requests, blocked workers, or degraded application availability.

Critical Impact

Applications using vulnerable versions of @tootallnate/once with AbortSignal can experience indefinite hangs and service degradation when abort signals are triggered, potentially leading to denial of service conditions in Node.js applications.

Affected Products

  • @tootallnate/once versions before 3.0.1
  • Node.js applications utilizing the vulnerable package with AbortSignal functionality
  • Server-side JavaScript applications with abort handling logic

Discovery Timeline

  • 2026-03-03 - CVE CVE-2026-3449 published to NVD
  • 2026-03-03 - Last updated in NVD database

Technical Details for CVE-2026-3449

Vulnerability Analysis

This vulnerability is classified under CWE-705 (Incorrect Control Flow Scoping). The @tootallnate/once package provides utility functions for creating a Promise that resolves the next time a specified event is emitted. When used with the AbortSignal option, the library fails to properly handle the abort scenario.

The core issue lies in how the promise resolution logic interacts with the AbortController API. When an AbortSignal is passed to the once() function and subsequently aborted, the promise should reject with an AbortError. Instead, due to incorrect control flow scoping, the promise neither resolves nor rejects—it remains perpetually pending.

This design flaw affects any code path that awaits the promise or chains .then() handlers, as the execution flow will stall indefinitely waiting for a resolution that never comes.

Root Cause

The root cause is an improper handling of the AbortSignal's abort event within the promise execution context. The library does not properly wire up the abort handler to reject the pending promise, leaving the control flow in an unresolved state. This represents a failure to properly scope the promise's resolve and reject callbacks relative to the abort signal's lifecycle.

Attack Vector

The vulnerability is exploitable locally through application code that uses the affected package. An attacker with the ability to influence abort signal timing—or in scenarios where abort signals are triggered by user actions, timeouts, or external conditions—can cause application threads or event loop iterations to hang indefinitely.

In server-side Node.js applications, this can manifest as:

  • HTTP request handlers that never complete
  • Worker threads that become permanently blocked
  • Cascading failures as resource pools become exhausted with hung operations

The vulnerability mechanism involves the promise's internal state management when handling AbortSignal events. When the signal's abort event fires, the promise should transition to a rejected state with an AbortError. Instead, the promise remains in its initial pending state, causing any code awaiting the promise to block indefinitely. For technical implementation details, see the GitHub commit fix and the related issue discussion.

Detection Methods for CVE-2026-3449

Indicators of Compromise

  • Application processes showing unexpectedly high numbers of pending promises
  • HTTP requests that timeout on the client side but show as active on the server
  • Worker threads or processes that become unresponsive after abort operations
  • Memory growth patterns indicating accumulated pending async operations

Detection Strategies

  • Scan your project's package.json and package-lock.json for @tootallnate/once dependencies with versions below 3.0.1
  • Utilize npm audit or Snyk vulnerability scanning to identify vulnerable package versions in your dependency tree
  • Monitor application logs for timeout errors that correlate with AbortSignal usage patterns
  • Implement application-level health checks that detect hung promise states

Monitoring Recommendations

  • Deploy APM (Application Performance Monitoring) solutions to track promise resolution times and identify abnormal pending durations
  • Set up alerts for request handlers exceeding expected completion times, particularly those using abort functionality
  • Monitor Node.js event loop lag metrics as an indicator of blocked async operations
  • Implement circuit breaker patterns around operations using the affected package

How to Mitigate CVE-2026-3449

Immediate Actions Required

  • Update @tootallnate/once to version 3.0.1 or later immediately
  • Audit all applications using this package for AbortSignal usage patterns
  • Implement timeout wrappers around code using the vulnerable function as a temporary safeguard
  • Review downstream dependencies that may include @tootallnate/once transitively

Patch Information

The vulnerability has been addressed in version 3.0.1 of @tootallnate/once. The fix properly handles the AbortSignal abort event to ensure the promise rejects with an appropriate error when the signal is aborted. The patch is available via the GitHub commit. Additional details can be found in the Snyk vulnerability report.

Workarounds

  • Wrap calls to the affected function with Promise.race() and a timeout promise to prevent indefinite hangs
  • Avoid using the AbortSignal option with vulnerable versions until the update can be applied
  • Implement custom abort handling logic that doesn't rely on the vulnerable package's signal processing
  • Consider alternative packages that provide similar once-event-to-promise functionality with proper abort handling
bash
# Update @tootallnate/once to the patched version
npm update @tootallnate/once

# Or install the specific fixed version
npm install @tootallnate/once@3.0.1

# Verify the installed version
npm list @tootallnate/once

# Run npm audit to check for additional vulnerabilities
npm audit

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechNpm
  • SeverityMEDIUM
  • CVSS Score4.8
  • EPSS Probability0.01%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-705
  • Technical References
  • GitHub Commit Changes
  • GitHub Issue Tracking
  • Snyk Vulnerability Report
  • Related CVEs
  • CVE-2026-2265: Replicator npm Package RCE Vulnerability
  • CVE-2026-0775: npm CLI Privilege Escalation Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English