From 698e74725681fe19f553bb262920ace6b3f1b6eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Juan=20Sebasti=C3=A1n=20Montoya?= <juansmm@outlook.com>
Date: Mon, 11 May 2026 10:56:48 -0500
Subject: [PATCH] Improve GHSA-vpq2-c234-7xj6

---
 .../GHSA-vpq2-c234-7xj6.json                  | 31 ++++++++++++++-----
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git a/advisories/github-reviewed/2026/03/GHSA-vpq2-c234-7xj6/GHSA-vpq2-c234-7xj6.json b/advisories/github-reviewed/2026/03/GHSA-vpq2-c234-7xj6/GHSA-vpq2-c234-7xj6.json
index 20e8c946f840b..b8d014b93224b 100644
--- a/advisories/github-reviewed/2026/03/GHSA-vpq2-c234-7xj6/GHSA-vpq2-c234-7xj6.json
+++ b/advisories/github-reviewed/2026/03/GHSA-vpq2-c234-7xj6/GHSA-vpq2-c234-7xj6.json
@@ -7,15 +7,11 @@
     "CVE-2026-3449"
   ],
   "summary": "@tootallnate/once vulnerable to Incorrect Control Flow Scoping",
-  "details": "Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.",
+  "details": "Versions of the package @tootallnate/once before 2.0.1 (in the 2.x line) and before 3.0.1 (in the 3.x line) are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.",
   "severity": [
-    {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
-    },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -29,7 +25,7 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "0"
+              "introduced": "3.0.0"
             },
             {
               "fixed": "3.0.1"
@@ -37,6 +33,25 @@
           ]
         }
       ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@tootallnate/once"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.0.1"
+            }
+          ]
+        }
+      ]
     }
   ],
   "references": [
@@ -65,7 +80,7 @@
     "cwe_ids": [
       "CWE-705"
     ],
-    "severity": "LOW",
+    "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-04T20:15:03Z",
     "nvd_published_at": "2026-03-03T05:17:25Z"