Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/991799?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/991799?format=api", "purl": "pkg:npm/effect@3.11.4", "type": "npm", "namespace": "", "name": "effect", "version": "3.11.4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.20.0", "latest_non_vulnerable_version": "3.20.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91760?format=api", "vulnerability_id": "VCID-a1qf-djgg-eye5", "summary": "Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC\n## Versions\n\n- `effect`: 3.19.15\n- `@effect/rpc`: 0.72.1\n- `@effect/platform`: 0.94.2\n- Node.js: v22.20.0\n- Vercel runtime with Fluid compute\n- Next.js: 16 (App Router)\n- `@clerk/nextjs`: 6.x\n\n## Root cause\n\nEffect's `MixedScheduler` batches fiber continuations and drains them inside a **single** microtask or timer callback. The `AsyncLocalStorage` context active during that callback belongs to whichever request first triggered the scheduler's drain cycle — **not** the request that owns the fiber being resumed.\n\n### Detailed mechanism\n\n#### 1. Scheduler batching (`effect/src/Scheduler.ts`, `MixedScheduler`)\n\n```typescript\n// MixedScheduler.starve() — called once when first task is scheduled\nprivate starve(depth = 0) {\n if (depth >= this.maxNextTickBeforeTimer) {\n setTimeout(() => this.starveInternal(0), 0) // timer queue\n } else {\n Promise.resolve(void 0).then(() => this.starveInternal(depth + 1)) // microtask queue\n }\n}\n\n// MixedScheduler.starveInternal() — drains ALL accumulated tasks in one call\nprivate starveInternal(depth: number) {\n const tasks = this.tasks.buckets\n this.tasks.buckets = []\n for (const [_, toRun] of tasks) {\n for (let i = 0; i < toRun.length; i++) {\n toRun[i]() // ← Every fiber continuation runs in the SAME ALS context\n }\n }\n // ...\n}\n```\n\n`scheduleTask` only calls `starve()` when `running` is `false`. Subsequent tasks accumulate in `this.tasks` until `starveInternal` drains them all. The `Promise.then()` (or `setTimeout`) callback inherits the ALS context from whichever call site created it — i.e., whichever request's fiber first set `running = true`.\n\n**Result:** Under concurrent load, fiber continuations from Request A and Request B execute inside the same `starveInternal` call, sharing a single ALS context. If Request A triggered `starve()`, then Request B's fiber reads Request A's ALS context.\n\n#### 2. `toWebHandlerRuntime` does not propagate ALS (`@effect/platform/src/HttpApp.ts:211-240`)\n\n```typescript\nexport const toWebHandlerRuntime = <R>(runtime: Runtime.Runtime<R>) => {\n const httpRuntime: Types.Mutable<Runtime.Runtime<R>> = Runtime.make(runtime)\n const run = Runtime.runFork(httpRuntime)\n return <E>(self: Default<E, R | Scope.Scope>, middleware?) => {\n return (request: Request, context?): Promise<Response> =>\n new Promise((resolve) => {\n // Per-request Effect context is correctly set via contextMap:\n const contextMap = new Map<string, any>(runtime.context.unsafeMap)\n const httpServerRequest = ServerRequest.fromWeb(request)\n contextMap.set(ServerRequest.HttpServerRequest.key, httpServerRequest)\n httpRuntime.context = Context.unsafeMake(contextMap)\n\n // But the fiber is forked without any ALS propagation:\n const fiber = run(httpApp as any) // ← ALS context is NOT captured or restored\n })\n }\n}\n```\n\nEffect's own `Context` (containing `HttpServerRequest`) is correctly set per-request. But the **Node.js ALS context** — which frameworks like Next.js, Clerk, and OpenTelemetry rely on — is not captured at fork time or restored when the fiber's continuations execute.\n\n#### 3. The dangerous pattern this enables\n\n```typescript\n// RPC handler — runs inside an Effect fiber\nconst handler = Effect.gen(function*() {\n // This calls auth() from @clerk/nextjs/server, which reads from ALS\n const { userId } = yield* Effect.tryPromise({\n try: async () => auth(), // ← may read WRONG user's session\n catch: () => new UnauthorizedError({ message: \"Auth failed\" })\n })\n return yield* repository.getUser(userId)\n})\n```\n\nThe `async () => auth()` thunk executes when the fiber continuation is scheduled by `MixedScheduler`. At that point, the ALS context belongs to an arbitrary concurrent request.\n\n## Reproduction scenario\n\n```\nTimeline (two concurrent requests to the same toWebHandler endpoint):\n\nT0: Request A arrives → POST handler → webHandler(requestA)\n → Promise executor runs synchronously\n → httpRuntime.context set to A's context\n → fiber A forked, runs first ops synchronously\n → fiber A yields (e.g., at Effect.tryPromise boundary)\n → scheduler.scheduleTask(fiberA_continuation)\n → running=false → starve() called → Promise.resolve().then(drain)\n ↑ ALS context captured = Request A's context\n\nT1: Request B arrives → POST handler → webHandler(requestB)\n → Promise executor runs synchronously\n → httpRuntime.context set to B's context\n → fiber B forked, runs first ops synchronously\n → fiber B yields\n → scheduler.scheduleTask(fiberB_continuation)\n → running=true → task queued, no new starve()\n\nT2: Microtask fires → starveInternal() runs\n → Drains fiberA_continuation → auth() reads ALS → gets A's context ✓\n → Drains fiberB_continuation → auth() reads ALS → gets A's context ✗ ← WRONG USER\n```\n\n## Minimal reproduction\n\n```typescript\nimport { AsyncLocalStorage } from \"node:async_hooks\"\nimport { Effect, Layer } from \"effect\"\nimport { RpcServer, RpcSerialization, Rpc, RpcGroup } from \"@effect/rpc\"\nimport { HttpServer } from \"@effect/platform\"\nimport * as S from \"effect/Schema\"\n\n// Simulate a framework's ALS (like Next.js / Clerk)\nconst requestStore = new AsyncLocalStorage<{ userId: string }>()\n\nclass GetUser extends Rpc.make(\"GetUser\", {\n success: S.Struct({ userId: S.String, alsUserId: S.String }),\n failure: S.Never,\n payload: {}\n}) {}\n\nconst MyRpc = RpcGroup.make(\"MyRpc\").add(GetUser)\n\nconst MyRpcLive = MyRpc.toLayer(\n RpcGroup.toHandlers(MyRpc, {\n GetUser: () =>\n Effect.gen(function*() {\n // Simulate calling an ALS-dependent API inside an Effect fiber\n const alsResult = yield* Effect.tryPromise({\n try: async () => {\n const store = requestStore.getStore()\n return store?.userId ?? \"NONE\"\n },\n catch: () => { throw new Error(\"impossible\") }\n })\n return { userId: \"from-effect-context\", alsUserId: alsResult }\n })\n })\n)\n\nconst RpcLayer = MyRpcLive.pipe(\n Layer.provideMerge(RpcSerialization.layerJson),\n Layer.provideMerge(HttpServer.layerContext)\n)\n\nconst { handler } = RpcServer.toWebHandler(MyRpc, { layer: RpcLayer })\n\n// Simulate two concurrent requests with different ALS contexts\nasync function main() {\n const results = await Promise.all([\n requestStore.run({ userId: \"user-A\" }, () => handler(makeRpcRequest(\"GetUser\"))),\n requestStore.run({ userId: \"user-B\" }, () => handler(makeRpcRequest(\"GetUser\"))),\n ])\n\n // Parse responses and check if alsUserId matches the expected user\n // Under the bug: both responses may show \"user-A\" (or one shows the other's)\n for (const res of results) {\n console.log(await res.json())\n }\n}\n```\n\n## Impact\n\n| Symptom | Severity |\n|---------|----------|\n| `auth()` returns wrong user's session | **Critical** — authentication bypass |\n| `cookies()` / `headers()` from Next.js read wrong request | **High** — data leakage |\n| OpenTelemetry trace context crosses requests | **Medium** — incorrect traces |\n| Works locally, fails in production | Hard to diagnose — only manifests under concurrent load |\n\n## Workaround\n\nCapture ALS-dependent values **before** entering the Effect runtime and pass them via Effect's own context system:\n\n```typescript\n// In the route handler — OUTSIDE the Effect fiber (ALS is correct here)\nexport const POST = async (request: Request) => {\n const { userId } = await auth() // ← Safe: still in Next.js ALS context\n\n // Inject into request headers or use the `context` parameter\n const headers = new Headers(request.headers)\n headers.set(\"x-clerk-auth-user-id\", userId ?? \"\")\n const enrichedRequest = new Request(request.url, {\n method: request.method,\n headers,\n body: request.body,\n duplex: \"half\" as any,\n })\n\n return webHandler(enrichedRequest)\n}\n\n// In Effect handlers — read from HttpServerRequest headers instead of calling auth()\nconst getAuthenticatedUserId = Effect.gen(function*() {\n const req = yield* HttpServerRequest.HttpServerRequest\n const userId = req.headers[\"x-clerk-auth-user-id\"]\n if (!userId) return yield* Effect.fail(new UnauthorizedError({ message: \"Auth required\" }))\n return userId\n})\n```\n\n## Suggested fix (for Effect maintainers)\n\n### Option A: Propagate ALS context through the scheduler\n\nCapture the `AsyncLocalStorage` snapshot when a fiber continuation is scheduled, and restore it when the continuation executes:\n\n```typescript\n// In MixedScheduler or the fiber runtime\nimport { AsyncLocalStorage } from \"node:async_hooks\"\n\nscheduleTask(task: Task, priority: number) {\n // Capture current ALS context\n const snapshot = AsyncLocalStorage.snapshot()\n this.tasks.scheduleTask(() => snapshot(task), priority)\n // ...\n}\n```\n\n`AsyncLocalStorage.snapshot()` (Node.js 20.5+) returns a function that, when called, restores the ALS context from the point of capture. This ensures each fiber continuation runs with its originating request's ALS context.\n\n**Trade-off:** Adds one closure allocation per scheduled task. Could be opt-in via a `FiberRef` or scheduler option.\n\n### Option B: Capture ALS at `runFork` and restore per fiber step\n\nWhen `Runtime.runFork` is called, capture the ALS snapshot and associate it with the fiber. Before each fiber step (in the fiber runtime's `evaluateEffect` loop), restore the snapshot.\n\n**Trade-off:** More invasive but provides correct ALS propagation for the fiber's entire lifetime, including across `flatMap` chains and `Effect.tryPromise` thunks.\n\n### Option C: Document the limitation and provide a `context` injection API\n\nIf ALS propagation is intentionally not supported, document this prominently and provide a first-class API for `toWebHandler` to accept per-request context. The existing `context?: Context.Context<never>` parameter on the handler function partially addresses this, but it requires callers to know about the issue and manually extract values before entering Effect.\n\n## Related\n\n- Node.js `AsyncLocalStorage` docs: https://nodejs.org/api/async_context.html\n- `AsyncLocalStorage.snapshot()`: https://nodejs.org/api/async_context.html#static-method-asynclocalstoragesnapshot\n- Next.js uses ALS for `cookies()`, `headers()`, `auth()` in App Router\n- Similar issue pattern in other fiber-based runtimes (e.g., ZIO has `FiberRef` propagation for this)\n\n\n## POC replica of my setup\n\n```\n// Create web handler from Effect RPC\n// sharedMemoMap ensures all RPC routes share the same connection pool\nconst { handler: webHandler, dispose } = RpcServer.toWebHandler(DemoRpc, {\n layer: RpcLayer,\n memoMap: sharedMemoMap,\n});\n\n/**\n * POST /api/rpc/demo\n */\nexport const POST = async (request: Request) => {\n return webHandler(request);\n};\n\nregisterDispose(dispose);\n```\n\n### Used util functions\n\n```\n\n/**\n * Creates a dispose registry that collects dispose callbacks and runs them\n * when `runAll` is invoked. Handles both sync and async dispose functions,\n * catching errors to prevent one failing dispose from breaking others.\n *\n * @internal Exported for testing — use `registerDispose` in application code.\n */\nexport const makeDisposeRegistry = () => {\n const disposeFns: Array<() => void | Promise<void>> = []\n\n const runAll = () => {\n for (const fn of disposeFns) {\n try {\n const result = fn()\n if (result && typeof result.then === \"function\") {\n result.then(undefined, (err: unknown) => console.error(\"Dispose error:\", err))\n }\n } catch (err) {\n console.error(\"Dispose error:\", err)\n }\n }\n }\n\n const register = (dispose: () => void | Promise<void>) => {\n disposeFns.push(dispose)\n }\n\n return { register, runAll }\n}\n\nexport const registerDispose: (dispose: () => void | Promise<void>) => void = globalValue(\n Symbol.for(\"@global/RegisterDispose\"),\n () => {\n const registry = makeDisposeRegistry()\n\n if (typeof process !== \"undefined\") {\n process.once(\"beforeExit\", registry.runAll)\n }\n\n return registry.register\n }\n)\n```\n\n### The actual effect that was run within the RPC context that the bug was found\n\n```\nexport const getAuthenticatedUserId: Effect.Effect<string, UnauthorizedError> =\n Effect.gen(function*() {\n const authResult = yield* Effect.tryPromise({\n try: async () => auth(),\n catch: () =>\n new UnauthorizedError({\n message: \"Failed to get auth session\"\n })\n })\n\n if (!authResult.userId) {\n return yield* Effect.fail(\n new UnauthorizedError({\n message: \"Authentication required\"\n })\n )\n }\n\n return authResult.userId\n })\n ```", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32887", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02938", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03035", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03043", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02991", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02974", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32887" }, { "reference_url": "https://github.com/Effect-TS/effect", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Effect-TS/effect" }, { "reference_url": "https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:36:39Z/" } ], "url": "https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32887", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32887" }, { "reference_url": "https://github.com/advisories/GHSA-38f7-945m-qr2g", "reference_id": "GHSA-38f7-945m-qr2g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-38f7-945m-qr2g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/114092?format=api", "purl": "pkg:npm/effect@3.20.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/effect@3.20.0" } ], "aliases": [ "CVE-2026-32887", "GHSA-38f7-945m-qr2g" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a1qf-djgg-eye5" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/effect@3.11.4" }