CVE-2026-32887
published 2026-03-20CVE-2026-32887: Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when…
PriorityP345high7.4CVSS 3.1
AVNACHPRNUINSUCHIHAN
EPSS
0.27%
18.5th percentile
Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-dependent API called from within an Effect fiber can read another concurrent request's context — or no context at all. Under production traffic, `auth()` from `@clerk/nextjs/server` returns a different user's session. Version 3.20.0 contains a fix for the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| effect-ts | effect | < 3.20.0 | 3.20.0 |
| effect_project | effect | >= 0 < 3.20.0 | 3.20.0 |
| effectful | effect | < 3.20.0 | 3.20.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC
ghsa·2026-03-20
CVE-2026-32887 [HIGH] CWE-362 Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC
Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC
## Versions
- `effect`: 3.19.15
- `@effect/rpc`: 0.72.1
- `@effect/platform`: 0.94.2
- Node.js: v22.20.0
- Vercel runtime with Fluid compute
- Next.js: 16 (App Router)
- `@clerk/nextjs`: 6.x
## Root cause
Effect's `MixedScheduler` batches fiber continuations and drains them inside a **single** microtask or timer callback. The `AsyncLocalStorage` context active during that callback belongs to whichever request first triggered the scheduler's drain cycle — **not** the request that owns the fiber being resumed.
### Detailed mechanism
#### 1. Scheduler batching (`effect/src/Scheduler.ts`, `MixedScheduler`)
```typescript
// MixedScheduler.starve() — called once when first task is sche
OSV
Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC
osv·2026-03-20
CVE-2026-32887 [HIGH] Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC
Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC
## Versions
- `effect`: 3.19.15
- `@effect/rpc`: 0.72.1
- `@effect/platform`: 0.94.2
- Node.js: v22.20.0
- Vercel runtime with Fluid compute
- Next.js: 16 (App Router)
- `@clerk/nextjs`: 6.x
## Root cause
Effect's `MixedScheduler` batches fiber continuations and drains them inside a **single** microtask or timer callback. The `AsyncLocalStorage` context active during that callback belongs to whichever request first triggered the scheduler's drain cycle — **not** the request that owns the fiber being resumed.
### Detailed mechanism
#### 1. Scheduler batching (`effect/src/Scheduler.ts`, `MixedScheduler`)
```typescript
// MixedScheduler.starve() — called once when first task is sche
No detection rules found.
No public exploits indexed.
2026-03-20
Published