CVE-2026-32887

Name of the Vulnerable Software and Affected Versions Effect versions prior to 3.20.0 @effect/rpc versions prior to 0.72.1 @effect/platform versions prior to 0.94.2

Description Effect is a TypeScript framework used for building TypeScript applications. A flaw exists in versions prior to 3.20.0, specifically when utilizing RpcServer.toWebHandler or HttpApp.toWebHandlerRuntime within a Next.js App Router route handler. This issue allows Node.js AsyncLocalStorage-dependent APIs, when called from within an Effect fiber, to potentially read the context of another concurrent request or no context at all. In a production environment, this can lead to authentication failures, where the @clerk/nextjs/server auth() function returns a different user's session. The root cause is that Effect's MixedScheduler batches fiber continuations and drains them within a single microtask or timer callback, inheriting the AsyncLocalStorage context from the first request that triggered the drain cycle, rather than the owning request of the fiber. This can result in incorrect context being used for operations relying on AsyncLocalStorage, such as authentication and session management. The issue manifests under concurrent load and is difficult to diagnose in local development environments. A workaround involves capturing AsyncLocalStorage-dependent values before entering the Effect runtime and passing them through Effect's context system.

Recommendations Update to Effect version 3.20.0 or later. Update to @effect/rpc version 0.72.1 or later. Update to @effect/platform version 0.94.2 or later.