{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32887", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T21:03:44.421Z", "datePublished": "2026-03-20T21:35:05.853Z", "dateUpdated": "2026-03-25T13:37:15.940Z"}, "containers": {"cna": {"title": "Effect Bug: `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g"}], "affected": [{"vendor": "Effect-TS", "product": "effect", "versions": [{"version": "< 3.20.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T21:35:05.853Z"}, "descriptions": [{"lang": "en", "value": "Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-dependent API called from within an Effect fiber can read another concurrent request's context \u2014 or no context at all. Under production traffic, `auth()` from `@clerk/nextjs/server` returns a different user's session. Version 3.20.0 contains a fix for the issue."}], "source": {"advisory": "GHSA-38f7-945m-qr2g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:36:39.114796Z", "id": "CVE-2026-32887", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:37:15.940Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32887", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:36:39.114796Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:37:05.082Z"}}], "cna": {"title": "Effect Bug: `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC", "source": {"advisory": "GHSA-38f7-945m-qr2g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Effect-TS", "product": "effect", "versions": [{"status": "affected", "version": "< 3.20.0"}]}], "references": [{"url": "https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g", "name": "https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-dependent API called from within an Effect fiber can read another concurrent request's context \u2014 or no context at all. Under production traffic, `auth()` from `@clerk/nextjs/server` returns a different user's session. Version 3.20.0 contains a fix for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T21:35:05.853Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32887", "state": "PUBLISHED", "dateUpdated": "2026-03-25T13:37:15.940Z", "dateReserved": "2026-03-16T21:03:44.421Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T21:35:05.853Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:effectful:effect:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "720488DF-FC4E-43E2-9D3B-5FB783EF8BEC", "versionEndExcluding": "3.20.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-dependent API called from within an Effect fiber can read another concurrent request's context \u2014 or no context at all. Under production traffic, `auth()` from `@clerk/nextjs/server` returns a different user's session. Version 3.20.0 contains a fix for the issue."}, {"lang": "es", "value": "Effect es un framework de TypeScript que consta de varios paquetes que trabajan juntos para ayudar a construir aplicaciones TypeScript. Antes de la versi\u00f3n 3.20.0, al usar `RpcServer.toWebHandler` (o `HttpApp.toWebHandlerRuntime`) dentro de un gestor de rutas del App Router de Next.js, cualquier API de Node.js dependiente de `AsyncLocalStorage` llamada desde dentro de una fibra de Effect puede leer el contexto de otra solicitud concurrente \u2014 o ning\u00fan contexto en absoluto. Bajo tr\u00e1fico de producci\u00f3n, `auth()` de `@clerk/nextjs/server` devuelve la sesi\u00f3n de un usuario diferente. La versi\u00f3n 3.20.0 contiene una soluci\u00f3n para el problema."}], "id": "CVE-2026-32887", "lastModified": "2026-04-14T18:41:28.923", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T22:16:27.980", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.20.0)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "effect", "source": "cna", "vendor": "Effect-TS"}, "product": "effect", "vendor": "effect_project"}], "analysis": {"en": {"generated_at": "2026-04-14T21:08:43.222770+00:00", "value": {"mitigation_remediation": ["Upgrade the Effect framework to version\u202f3.20.0 or later.", "Re\u2011deploy the application and verify that RpcServer.toWebHandler now preserves correct AsyncLocalStorage context.", "Confirm that user\u2011dependent APIs (e.g., @clerk/nextjs/server) return the expected session data.", "Optionally review related third\u2011party libraries for similar context issues."], "summary": {"action": "Apply patch", "impact": "Authentication context leakage / unauthorized sessions"}, "threat_synthesis": {"affected_systems": "The issue affects the Effect\u2011TS Effect framework, specifically the effect package, in all releases before version\u202f3.20.0. The flaw manifests in Node.js environments that use the framework in a Next.js App Router route via RpcServer.toWebHandler or HttpApp.toWebHandlerRuntime. Updating to 3.20.0 or newer removes the bug.", "description_and_impact": "The flaw is in Effect\u2019s handling of AsyncLocalStorage within fibers. When multiple concurrent HTTP requests are processed, the request\u2011specific context can be lost or overwritten. Functions that rely on AsyncLocalStorage to retrieve the current request data, such as user authentication, may therefore read another request\u2019s session or none at all. This can lead to incorrect user identity resolution, enabling an attacker to access resources with another user\u2019s session data. The weakness corresponds to the concurrent modification race condition (CWE\u2011362).", "risk_and_exploitability": "The CVSS score of 7.4 indicates high severity, while the EPSS score of <1\u202f% suggests a low likelihood of widespread exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog, meaning no publicly known, actively exploited cases are documented. The attack vector is primarily via web requests handled by a Next.js application that relies on Effect fibers; an adversary would need to generate concurrent requests that trigger the race condition to cause context leakage."}}}}, "created": "2026-03-23T09:52:36.593141+00:00", "updated": "2026-04-15T16:45:09.810867+00:00", "vendors": ["effect_project", "effect_project$PRODUCT$effect"]}