4 months ago
Hello Railway Support Team,
I’m experiencing a critical security issue affecting my staging environment hosted on Railway. After a successful Google OAuth login, users are being redirected to an unrelated malicious gambling website.
This issue does NOT occur in production (or local development), which uses a custom Supabase domain. It only happens on staging/dev, which uses the auto-generated Supabase domain and is hosted via Railway.
Google OAuth completes successfully
User is redirected to /auth/callback
Instead of staying within the app, a malicious JavaScript file is executed
This script then redirects the user to an external gambling site
Discord OAuth works correctly in all environments.
Environments:
Staging
Hosted on Railway
Uses auto-generated Supabase API/domain
No recent code or config changes (last ~7 days)
Same OAuth client ID/secret as production
Production
Uses custom Supabase domain
OAuth works perfectly
No malicious redirect
OAuth Redirect Flow
Redirect:
https://dev.clipthis.app/auth/callback?code=...&next=/intro
Observed behavior:
The callback page loads the following HTML before redirecting to a malicious site:
This script is not part of our codebase and is never served in production.
/auth/callback Implementation
The callback route is implemented using a Next.js Route Handler and only performs:
supabase.auth.exchangeCodeForSession
A server-side redirect via NextResponse.redirect(...)
No client-side scripts are included or rendered here.
Supabase Confirmation:
I contacted Supabase support. They confirmed:
If it correctly redirecting to that path, then from the Supabase side of things that sounds like it's working as expected?
So yes, anyone can help me with that? Im currently clueless...
Thank you
25 Replies
Intressting discovery:
I just hit the "Redeploy" button in the dev branch.
For the next 20 minutes everything was working correctly.
After the 20 minutes it was redirecting to the malicious site
4 months ago
Are you using Cloudflare?
4 months ago
You can try seeing if the redirect hits Railway http logs, if not, it is happening in a upstream provider (like cloudflare or other proxy)
4 months ago
I would also ask you to check your CNAME records on that subdomain
4 months ago
Are you fully proxying the CNAME on CF? (Orange Cloud)
4 months ago
If it happens again I would say to make it "DNS only" (Grey Cloud) and check if it persists
4 months ago
But yeah, really interesting and weird issue.
It’s redirecting to the malicious website again.
I’ve switched it to DNS-only, but that didn’t change anything.
I’ll leave it to DNS-only and try to login again in about an hour.
The only thing that has worked so far was redeploying the dev environment, but that fix only lasted for a unspecific time.
```
@calcom/embed-react ^1.5.3
@radix-ui/react-navigation-menu ^1.2.14
date-fns ^4.1.0
i18n-iso-countries ^7.14.0
react-day-picker ^9.11.1
supabase (updated from ^2.39.2) ^2.58.5
these are the npm packages i added or changed compared to the main branch.
this is the route where it gets redirect (/auth/callback)
```ts
import { createClient } from "@/lib/supabase/server";
import { NextResponse } from "next/server";
import { isAuthenticated } from "@/actions/is-authenticated";
// The client you created from the Server-Side Auth instructions
export async function GET(request: Request) {
const { searchParams, origin } = new URL(request.url);
const code = searchParams.get("code");
// if "next" is in param, use it as the redirect URL
const next = searchParams.get("next") ?? "/";
if (code) {
const supabase = await createClient();
const { error } = await supabase.auth.exchangeCodeForSession(code);
if (!error) {
// Use the isAuthenticated function to check if user has a profile
const extendedUser = await isAuthenticated();
// If user has a profile (is authenticated with extended user data), redirect to dashboard
// Otherwise, use the next parameter
const redirectPath = extendedUser ? "/dashboard" : next;
const forwardedHost = request.headers.get("x-forwarded-host"); // original origin before load balancer
const isLocalEnv = process.env.NODE_ENV === "development";
if (isLocalEnv) {
// we can be sure that there is no load balancer in between, so no need to watch for X-Forwarded-Host
return NextResponse.redirect(`${origin}${redirectPath}`);
} else if (forwardedHost) {
return NextResponse.redirect(`https://${forwardedHost}${redirectPath}`);
} else {
return NextResponse.redirect(`${origin}${redirectPath}`);
}
}}
// return the user to an error page with instructions
return NextResponse.redirect(${origin}/auth/auth-code-error);
}
https://www.reddit.com/r/CloudFlare/s/Vz0i3bUnZ9
The Supabase support team sent me this
i updated react 19.0.0 to 19.2.4 (latest) which hopefully fixes this issue.
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
i thought 19.0.0 would fix this but looks like this was not enough. Blog was also updated with new vulnerabilities last week.
will give an update in about an hour to make sure this fixes it.
4 months ago
This is not related to Railway, I don't know where's the origin of this, but I'm intrigued to see the solution so keep me updated
It was the react version, so we can close this issue. pretty strange but yeah..
Status changed to Solved medim • 4 months ago