Description
Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-dependent API called from within an Effect fiber can read another concurrent request's context — or no context at all. Under production traffic, `auth()` from `@clerk/nextjs/server` returns a different user's session. Version 3.20.0 contains a fix for the issue.
Published: 2026-03-20
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication context leakage / unauthorized sessions
Action: Apply patch
AI Analysis

Impact

The flaw is in Effect’s handling of AsyncLocalStorage within fibers. When multiple concurrent HTTP requests are processed, the request‑specific context can be lost or overwritten. Functions that rely on AsyncLocalStorage to retrieve the current request data, such as user authentication, may therefore read another request’s session or none at all. This can lead to incorrect user identity resolution, enabling an attacker to access resources with another user’s session data. The weakness corresponds to the concurrent modification race condition (CWE‑362).

Affected Systems

The issue affects the Effect‑TS Effect framework, specifically the effect package, in all releases before version 3.20.0. The flaw manifests in Node.js environments that use the framework in a Next.js App Router route via RpcServer.toWebHandler or HttpApp.toWebHandlerRuntime. Updating to 3.20.0 or newer removes the bug.

Risk and Exploitability

The CVSS score of 7.4 indicates high severity, while the EPSS score of <1 % suggests a low likelihood of widespread exploitation at present. The vulnerability is not listed in CISA’s KEV catalog, meaning no publicly known, actively exploited cases are documented. The attack vector is primarily via web requests handled by a Next.js application that relies on Effect fibers; an adversary would need to generate concurrent requests that trigger the race condition to cause context leakage.

Generated by OpenCVE AI on April 14, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Effect framework to version 3.20.0 or later.
  • Re‑deploy the application and verify that RpcServer.toWebHandler now preserves correct AsyncLocalStorage context.
  • Confirm that user‑dependent APIs (e.g., @clerk/nextjs/server) return the expected session data.
  • Optionally review related third‑party libraries for similar context issues.

Generated by OpenCVE AI on April 14, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-38f7-945m-qr2g Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC
History

Tue, 14 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Effectful
Effectful effect
CPEs cpe:2.3:a:effectful:effect:*:*:*:*:*:node.js:*:*
Vendors & Products Effectful
Effectful effect

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Effect Project
Effect Project effect
Vendors & Products Effect Project
Effect Project effect

Fri, 20 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-dependent API called from within an Effect fiber can read another concurrent request's context — or no context at all. Under production traffic, `auth()` from `@clerk/nextjs/server` returns a different user's session. Version 3.20.0 contains a fix for the issue.
Title Effect Bug: `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC
Weaknesses CWE-362
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Effect Project Effect
Effectful Effect
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T13:37:15.940Z

Reserved: 2026-03-16T21:03:44.421Z

Link: CVE-2026-32887

cve-icon Vulnrichment

Updated: 2026-03-25T13:37:05.082Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T22:16:27.980

Modified: 2026-04-14T18:41:28.923

Link: CVE-2026-32887

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses