CVE-2026-32887

Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-dependent API called from within an Effect fiber can read another concurrent request's context — or no context at all. Under production traffic, `auth()` from `@clerk/nextjs/server` returns a different user's session. Version 3.20.0 contains a fix for the issue.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-20 22:16

Updated : 2026-03-23 14:32

NVD link : CVE-2026-32887

Mitre link : CVE-2026-32887

CVE.ORG link : CVE-2026-32887

JSON object : View

Products Affected

No product.

CWE

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

{"id": "CVE-2026-32887", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}]}, "published": "2026-03-20T22:16:27.980", "references": [{"url": "https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-dependent API called from within an Effect fiber can read another concurrent request's context \u2014 or no context at all. Under production traffic, `auth()` from `@clerk/nextjs/server` returns a different user's session. Version 3.20.0 contains a fix for the issue."}, {"lang": "es", "value": "Effect es un framework de TypeScript que consta de varios paquetes que trabajan juntos para ayudar a construir aplicaciones TypeScript. Antes de la versi\u00f3n 3.20.0, al usar `RpcServer.toWebHandler` (o `HttpApp.toWebHandlerRuntime`) dentro de un gestor de rutas del App Router de Next.js, cualquier API de Node.js dependiente de `AsyncLocalStorage` llamada desde dentro de una fibra de Effect puede leer el contexto de otra solicitud concurrente \u2014 o ning\u00fan contexto en absoluto. Bajo tr\u00e1fico de producci\u00f3n, `auth()` de `@clerk/nextjs/server` devuelve la sesi\u00f3n de un usuario diferente. La versi\u00f3n 3.20.0 contiene una soluci\u00f3n para el problema."}], "lastModified": "2026-03-23T14:32:02.800", "sourceIdentifier": "security-advisories@github.com"}