CVE-2026-32887 - Vulnerability Details

- Effect Bug: `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC

Description

Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-dependent API called from within an Effect fiber can read another concurrent request's context — or no context at all. Under production traffic, `auth()` from `@clerk/nextjs/server` returns a different user's session. Version 3.20.0 contains a fix for the issue.

Published: 2026-03-20

Score: 7.4 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Effect framework can lose or mix Node.js AsyncLocalStorage context during concurrent RPC calls in a Next.js App Router route, causing wrapped APIs such as auth() from @clerk/nextjs/server to return a different user’s session or no session at all. This flaw is a race condition type weakness that can expose another user's data or allow successful use of another user’s privileges in a production environment.

Affected Systems

Products: Effect-TS:effect (all packages that include RpcServer.toWebHandler or HttpApp.toWebHandlerRuntime). An affected release is any version prior to 3.20.0. If your application incorporates Effect-TS in a Next.js App Router route handler, the vulnerability applies. No other vendor or platform is explicitly enumerated in the advisory.

Risk and Exploitability

The vulnerability scores a CVSS base of 7.4, classifying it as high severity. The EPSS score is not published, but the flaw is exploit‑sensitive to concurrent load, which is common in production traffic. Since the issue is not currently listed in CISA’s KEV catalog, known exploits are not publicly reported. An attacker would need to generate concurrent requests that trigger the AsyncLocalStorage mix‑up; once exploited, the attacker could read other user sessions or elevate privileges. The lack of a public exploit does not reduce the risk when usage patterns permit the required concurrency.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Effect-TS

effect

affected

Version	Status	Constraints
`< 3.20.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:effectful:effect:*:*:*:*:*:node.js:*:*

No data.

Vendor Product Confidence Versions

Effect Project

Effect

81%

Version	Status	Scheme	Platform
`[0,3.20.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Effect-TS to version 3.20.0 or later.

Generated by OpenCVE AI on March 20, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-38f7-945m-qr2g	Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00011.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g

History

Tue, 14 Apr 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Effectful Effectful effect
CPEs		cpe:2.3:a:effectful:effect::::::node.js::*
Vendors & Products		Effectful Effectful effect

Wed, 25 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Effect Project Effect Project effect
Vendors & Products		Effect Project Effect Project effect

Fri, 20 Mar 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-dependent API called from within an Effect fiber can read another concurrent request's context — or no context at all. Under production traffic, `auth()` from `@clerk/nextjs/server` returns a different user's session. Version 3.20.0 contains a fix for the issue.
Title		Effect Bug: `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC
Weaknesses		CWE-362
References		https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g
Metrics		cvssV3_1 `{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Effect Project Effect

Effectful Effect

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-20T21:35:05.853Z

Updated: 2026-03-25T13:37:15.940Z

Reserved: 2026-03-16T21:03:44.421Z

Link: CVE-2026-32887

Vulnrichment

Updated: 2026-03-25T13:37:05.082Z

NVD

Status : Analyzed

Published: 2026-03-20T22:16:27.980

Modified: 2026-04-14T18:41:28.923

Link: CVE-2026-32887

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T14:34:30Z

Weaknesses

CWE-362

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object