CVE-2026-32887

About vulnerability

Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using RpcServer.toWebHandler (or HttpApp.toWebHandlerRuntime) inside a Next.js App Router route handler, any Node.js AsyncLocalStorage-dependent API called from within an Effect fiber can read another concurrent request’s context — or no context at all. Under production traffic, auth() from @clerk/nextjs/server returns a different user’s session. Version 3.20.0 contains a fix for the issue.

Affected product:

astro , devtools , effect , nitro , nuxt , unstorage , uploadthing , vite , vite-dev-rpc , vite-hot-client , vite-plugin-checker , vite-plugin-inspect , vite-plugin-vue , vite-plugin-vue-inspector

Affected packages:

effect @ 3.17.7 (+80 more)

Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using RpcServer.toWebHandler (or HttpApp.toWebHandlerRuntime) inside a Next.js App Router route handler, any Node.js AsyncLocalStorage-dependent API called from within an Effect fiber can read another concurrent request’s context — or no context at all. Under production traffic, auth() from @clerk/nextjs/server returns a different user’s session. Version 3.20.0 contains a fix for the issue.