Description

Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-dependent API called from within an Effect fiber can read another concurrent request's context — or no context at all. Under production traffic, `auth()` from `@clerk/nextjs/server` returns a different user's session. Version 3.20.0 contains a fix for the issue.

INFO

Published Date :

2026-03-20T21:35:05.853Z

Last Modified :

2026-03-25T13:37:15.940Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32887 vulnerability.

Vendors Products
Effect Project
  • Effect
Effectful
  • Effect
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32887.

URL Resource
https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact