@tootallnate/once Promise Hang Vulnerability Allowing Denial-of-Service
Vulnerability
A control flow vulnerability has been identified in the @tootallnate/once package, affecting all versions prior to 3.0.1. The issue arises when the AbortSignal option is used, leading to incorrect promise resolution. Specifically, when the signal is aborted, the promise remains in a permanently pending state. This causes any await or .then() usage to hang indefinitely, creating a control-flow leak that can result in stalled requests, blocked workers, or degraded application availability.
Impact
Exploitation of this vulnerability causes a denial-of-service condition by leaving promises in a pending state, which can stall request handling and block worker threads or job queues. This is particularly problematic in environments with limited concurrency, where pending promises can accumulate and exhaust available resources.
Reproduction
The vulnerability can be reproduced by using the @tootallnate/once function with an EventEmitter and an AbortSignal. After starting the promise with the signal, abort the signal. The promise will remain pending, demonstrating the control flow hang.
Remediation
Users can upgrade to version 3.0.1 or higher to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.