Jamesone

**Name of the Vulnerable Software and Affected Versions** Effect versions prior to 3.20.0 @effect/rpc versions prior to 0.72.1 @effect/platform versions prior to 0.94.2 **Description** Effect is a TypeScript framework used for building TypeScript applications. A flaw exists in versions prior to 3.20.0, specifically when utilizing `RpcServer.toWebHandler` or `HttpApp.toWebHandlerRuntime` within a Next.js App Router route handler. This issue allows Node.js `AsyncLocalStorage`-dependent APIs, when called from within an Effect fiber, to potentially read the context of another concurrent request or no context at all. In a production environment, this can lead to authentication failures, where the `@clerk/nextjs/server` `auth()` function returns a different user's session. The root cause is that Effect's `MixedScheduler` batches fiber continuations and drains them within a single microtask or timer callback, inheriting the `AsyncLocalStorage` context from the first request that triggered the drain cycle, rather than the owning request of the fiber. This can result in incorrect context being used for operations relying on `AsyncLocalStorage`, such as authentication and session management. The issue manifests under concurrent load and is difficult to diagnose in local development environments. A workaround involves capturing `AsyncLocalStorage`-dependent values before entering the Effect runtime and passing them through Effect's context system. **Recommendations** Update to Effect version 3.20.0 or later. Update to @effect/rpc version 0.72.1 or later. Update to @effect/platform version 0.94.2 or later.