Incident Report: December 16th, 2025
Authors: Noah Dunnagan & Ray Chen Date: Dec 16, 2025
Impact
Railway experienced a major incident affecting fewer than 10% of deployed workloads, primarily in Europe West (Amsterdam). The vulnerability in Next.js versions was exploited to compromise a small number of user services, causing “degraded performance across running workloads on a subset of hosts and Private Networking.”
Incident Timeline
- 07:05 UTC – Engineers alerted to fleet-wide performance degradation
- 07:10 UTC – Incident declared as Degraded Performance
- 07:37 UTC – Escalated to Major Outage; builds paused across all tiers
- 07:40 UTC – Root cause identified as abnormally high CPU usage in multiple workloads
- 08:06 UTC – Builds re-enabled after initial mitigations
- 08:30 UTC – “A malicious process within certain Railway customer workloads was identified as the primary culprit”
- 09:08 UTC – Secondary impact concentrated in Amsterdam
- 11:00 UTC – Fleet-wide recovery observed
- 11:20 UTC – Incident resolved
What Happened
On December 3rd, Railway was notified of CVE-2025-55182 affecting React Server Components. The team deployed WAF rules and notified users through multiple channels.
On December 16th, attackers used previously unseen payloads to exploit vulnerable Next.js versions. The compromised services “were hijacked to run a malicious binary.” Forensic analysis using eBPF revealed the binary to be “a cryptominer.”
Railway immediately blocked the malicious binary, removed infected workloads, and prevented new builds using vulnerable versions.
Preventative Measures
- New builds using vulnerable Next.js versions are blocked
- Automated scanners detect and terminate malicious processes
- Additional WAF rules deployed as new threats emerge
- Users encouraged to upgrade immediately and rotate secrets