Incident Report: December 16th, 2025

A security incident involving a vulnerability in specific Next.js versions led to compromised user workloads on Railway, affecting a small percentage of deployments primarily in Europe West, resulting in degraded performance and network issues. The incident, which unfolded on December 16, 2025, was traced to a malicious binary used for cryptomining, exploiting a vulnerability in React Server Components. Railway responded by blocking the malicious processes, suspending new builds with vulnerable versions, and notifying affected users to rotate sensitive information as a precaution. Despite implementing mitigations and recovery efforts, the attack caused significant resource strain across the platform. Railway emphasized the importance of upgrading vulnerable versions and committed to enhancing security measures to prevent similar incidents in the future.