Incident Report: December 16th, 2025

We recently experienced an incident caused by the exploitation of a newly disclosed vulnerability in certain Next.js versions. Attackers used this vulnerability to compromise a small number of user workloads that had not yet updated to a patched version of Next.js. This resulted in downstream impact across the platform. It led to degraded performance in fewer than 10% of total workloads deployed on Railway, as well as private networking slowdowns and dropped requests affecting under 1% of our overall private network traffic.

When a Major Outage occurs, it is Railway’s policy to share the public details of what happened.

This incident caused degraded performance across running workloads on a subset of hosts and Private Networking. Europe West (Amsterdam, Netherlands) was primarily affected by this incident.

On December 16th, 2025:

• 07:05 UTC - On-call engineers paged due to fleet-wide performance degradation; investigations began immediately
• 07:10 UTC - Incident declared as Degraded Performance across all deployments in all regions
• 07:37 UTC - Incident escalated to Major Outage; builds paused across all plan tiers due to widespread degradation
• 07:40 UTC - Root cause identified as a large number of workloads exhibiting abnormally high CPU usage
• 08:06 UTC - Builds re-enabled after initial mitigations reduced impact
• 08:30 UTC - A malicious process within certain Railway customer workloads was identified as the primary culprit. Forensics and remediation began immediately
• 09:08 UTC - Europe West (Amsterdam, Netherlands) experienced concentrated secondary impact as host-level resource exhaustion persisted
• 10:30 UTC - Remediation efforts continued across the fleet
• 11:00 UTC - Fleet-wide recovery observed; incident moved into monitoring
• 11:20 UTC - Incident resolved; full recovery confirmed

For further reference, please see incident’s live updates on We are investigating issues with elevated network latency and slow deploys.

On December 3rd, a third-party notified Railway of a vulnerability in React Server Components (CVE-2025-55182). We implemented the initially provided mitigation ruleset in our WAF and continued to independently refine these rules as new information emerged.

Railway notified our users about this third-party vulnerability through Central Station and X, then sent targeted emails and in-app notifications to users we identified as running vulnerable versions.

On December 16th at 08:30 UTC, we discovered new attacks using payloads we had not previously observed. These attacks compromised a subset of customer services running vulnerable Next.js versions.

The compromised services were hijacked to run a malicious binary. We conducted forensic analysis to understand the nature of this binary. Live deployments were traced using direct eBPF hooks into running processes, and the binary was analyzed in an isolated sandbox to determine its runtime behavior.

This analysis identified the binary as a cryptominer. Upon discovering this, we took immediate action to:

• Block the malicious binary spawned by the exploitation
• Implement systems to remove infected workloads
• Block new builds using vulnerable Next.js versions
• Identify and notify affected users with guidance on remediation and secrets rotation

While there is no evidence of environment variable exfiltration based on inspection of runtime behavior and network calls, we strongly encourage users that received the notification titled “You have been impacted by a React/Next.js RSC Vulnerability” to treat this as a precautionary breach and rotate all sensitive secrets and API keys immediately.

The simultaneous execution of these attacks across many workloads and hosts caused fleet-wide resource starvation, which in turn degraded Private Networking in our multi-tenant networking environment.

This was a large-scale supply chain attack originating from a vulnerability in third-party dependencies. While we have implemented platform-level mitigations to the best of our abilities, we highly encourage you to upgrade any vulnerable versions IMMEDIATELY.

We have taken the following actions:

• New builds using vulnerable Next.js versions are now blocked
• Automated heuristic-based scanners are actively detecting and terminating known malicious processes
• Additional WAF rules are being deployed as new payloads emerge

If you are running an affected version, please upgrade immediately.

If you received a notification indicating your service was impacted, please treat this as a precautionary breach and rotate all sensitive secrets and API keys immediately.

Railway is committed to providing the best-in-class cloud experience. While this incident originated from a third-party vulnerability outside of our control, any downtime is unacceptable for us. We apologize for any inconvenience caused by this, and we are going to work towards eliminating the entire class of issues contributing to this incident.