CVE-2025-28244 Overview
An Insecure Permissions vulnerability has been identified in the Local Storage implementation of Alteryx Server 2023.1.1.460. This vulnerability allows remote attackers to obtain valid user session tokens from localStorage, leading to account takeover. The flaw stems from improper storage of sensitive authentication data in client-side browser localStorage, which can be accessed by malicious scripts or attackers with access to the browser environment.
Critical Impact
Remote attackers can steal valid user session tokens from localStorage, enabling complete account takeover and unauthorized access to Alteryx Server workflows, data connections, and sensitive analytics assets.
Affected Products
- Alteryx Server version 2023.1.1.460
- Alteryx Server installations utilizing local storage for session management
- Systems where users access Alteryx Server through web browsers
Discovery Timeline
- July 10, 2025 - CVE-2025-28244 published to NVD
- July 17, 2025 - Last updated in NVD database
Technical Details for CVE-2025-28244
Vulnerability Analysis
This vulnerability is classified under CWE-922 (Insecure Storage of Sensitive Information), indicating that sensitive session data is stored in a manner that does not adequately protect it from unauthorized access. The core issue lies in the application's decision to store user session tokens in browser localStorage rather than using more secure mechanisms such as HttpOnly cookies or server-side session management.
Browser localStorage is accessible to any JavaScript code running within the same origin, making it vulnerable to Cross-Site Scripting (XSS) attacks. If an attacker can execute malicious JavaScript in the context of the Alteryx Server application—through XSS vulnerabilities, browser extensions, or compromised third-party scripts—they can trivially read the stored session tokens and use them to impersonate legitimate users.
Root Cause
The root cause of this vulnerability is the improper storage of sensitive authentication credentials in client-side localStorage. Session tokens should never be stored in localStorage due to its accessibility to JavaScript code. The application fails to implement secure session storage practices, leaving authentication tokens exposed to potential theft. Proper session management would utilize HttpOnly cookies that cannot be accessed via JavaScript, significantly reducing the attack surface.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker can exploit this vulnerability through several methods:
XSS Chaining: If any XSS vulnerability exists in Alteryx Server or can be introduced through social engineering, the attacker injects malicious JavaScript that reads localStorage and exfiltrates session tokens to an attacker-controlled server.
Malicious Browser Extensions: A compromised or malicious browser extension running in the victim's browser can access localStorage across any domain the user visits.
Shared/Public Computers: On shared systems, subsequent users or malicious actors with physical access could inspect localStorage to retrieve valid session tokens.
The exploitation mechanism involves reading the session token from localStorage using standard JavaScript APIs such as localStorage.getItem(). Once obtained, the attacker can use the token to authenticate as the victim user. Technical details regarding the specific localStorage keys and exploitation flow can be found in the GitHub Gist published by the researcher.
Detection Methods for CVE-2025-28244
Indicators of Compromise
- Unusual session token access patterns from unexpected geographic locations or IP addresses
- Multiple concurrent sessions for a single user account from different locations
- Anomalous API requests using valid session tokens from unrecognized user agents
- Unexpected data access or workflow modifications by user accounts during off-hours
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and prevent unauthorized script execution
- Monitor authentication logs for session tokens being used from multiple IP addresses simultaneously
- Deploy browser-based security tools that alert on localStorage access by unauthorized scripts
- Utilize Web Application Firewalls (WAF) to detect and block XSS attack patterns that could enable token theft
Monitoring Recommendations
- Enable detailed audit logging for all authentication and session-related events in Alteryx Server
- Configure SIEM rules to alert on session anomalies such as token reuse across different network contexts
- Monitor for DOM-based attacks and script injection attempts against the Alteryx Server web interface
- Implement user behavior analytics to identify potential account takeover scenarios
How to Mitigate CVE-2025-28244
Immediate Actions Required
- Audit current Alteryx Server deployments to identify if version 2023.1.1.460 is in use
- Review browser localStorage for exposed session tokens and force session invalidation for all active users
- Implement network-level controls to restrict access to Alteryx Server from trusted networks only
- Enable multi-factor authentication (MFA) to add an additional layer of protection against account takeover
Patch Information
Organizations should check the Alteryx official website for security advisories and updated versions that address this vulnerability. It is recommended to upgrade to the latest supported version of Alteryx Server that implements secure session storage mechanisms. Contact Alteryx support for guidance on available patches and upgrade paths.
Workarounds
- Implement strict Content Security Policy (CSP) headers to prevent XSS attacks that could be used to steal tokens
- Configure web server reverse proxy settings to add HttpOnly and Secure flags to session cookies where possible
- Restrict network access to Alteryx Server using firewall rules and VPN requirements
- Educate users about the risks of using browser extensions from untrusted sources and accessing Alteryx Server from shared computers
# Example CSP header configuration for Apache
# Add to your Alteryx Server Apache configuration or .htaccess
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self';"
# Example for Nginx configuration
# Add to your server block
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
