CVE-2026-32887— Effect Bug: `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC

Effect Bug: `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC

Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-dependent API called from within an Effect fiber can read another concurrent request's context — or no context at all. Under production traffic, `auth()` from `@clerk/nextjs/server` returns a different user's session. Version 3.20.0 contains a fix for the issue.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

使用共享资源的并发执行不恰当同步问题(竞争条件)

Effect Monorepo 竞争条件问题漏洞

Effect Monorepo是Effect开源的一个用于构建TypeScript应用的功能式框架。 Effect Monorepo 3.20.0之前版本存在竞争条件问题漏洞，该漏洞源于RpcServer.toWebHandler存在上下文混淆，可能导致读取其他并发请求的上下文。

N/A

N/A