diff --git a/packages/backend/src/server/api/common/compare-url.ts b/packages/backend/src/server/api/common/compare-url.ts
index 083f9fffb..2d35dbd97 100644
--- a/packages/backend/src/server/api/common/compare-url.ts
+++ b/packages/backend/src/server/api/common/compare-url.ts
@@ -4,12 +4,20 @@ import { URL } from 'node:url';
  * Compares two URLs for OAuth. The first parameter is the trusted URL
  * which decides how the comparison is conducted.
  *
+ * Invalid URLs are never equal.
+ *
  * Implements the current draft-ietf-oauth-security-topics-21 § 4.1.3
  * (published 2022-09-27)
  */
 export function compareUrl(trusted: string, untrusted: string): boolean {
-	let trustedUrl = new URL(trusted);
-	let untrustedUrl = new URL(untrusted);
+	let trustedUrl, untrustedUrl;
+
+	try {
+		trustedUrl = new URL(trusted);
+		untrustedUrl = new URL(untrusted);
+	} catch {
+		return false;
+	}
 
 	// Excerpt from RFC 8252:
 	//> Loopback redirect URIs use the "http" scheme and are constructed with