Race Condition Affecting effect package, versions <3.20.0
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-EFFECT-15746380
- published22 Mar 2026
- disclosed20 Mar 2026
- creditJames Wainwright
Introduced: 20 Mar 2026
CVE-2026-32887 (opens in a new tab)How to fix?
Upgrade effect to version 3.20.0 or higher.
Overview
effect is a node package that allows you to add effects on images.
Affected versions of this package are vulnerable to Race Condition in the MixedScheduler class, where the AsyncLocalStorage context is not properly isolated between concurrent fiber executions. An attacker can access or manipulate another user's session data by triggering concurrent requests, causing the context from one request to be visible to another. This can result in authentication bypass or data leakage, such as reading another user's session or request headers.
Workaround
This vulnerability can be mitigated by capturing ALS-dependent values before entering the runtime and passing them via the internal context system, such as injecting user identifiers into request headers and reading them from there within handlers.