CVE-2025-28244
📋 TL;DR
This vulnerability allows remote attackers to steal valid user session tokens from localStorage in Alteryx Server, enabling account takeover. Attackers can impersonate legitimate users and access sensitive data or functionality. Organizations running Alteryx Server 2023.1.1.460 are affected.
💻 Affected Systems
- Alteryx Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all user accounts, unauthorized access to sensitive business data, privilege escalation to administrative functions, and potential lateral movement within the network.
Likely Case
Attackers steal session tokens to impersonate users, access confidential data analytics, modify data pipelines, and potentially exfiltrate sensitive information.
If Mitigated
Limited impact with proper network segmentation, strong authentication controls, and monitoring, though session token theft remains possible.
🎯 Exploit Status
Exploitation requires access to the web interface but doesn't require authentication to steal tokens once accessed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://alteryx.com
Restart Required: No
Instructions:
Check Alteryx vendor advisory for updates. Upgrade to a patched version when available. Until then, implement workarounds.
🔧 Temporary Workarounds
Implement HTTP-only and Secure Cookie Flags
allConfigure session cookies with HttpOnly and Secure flags to prevent JavaScript access and enforce HTTPS.
Configure in web server settings or application configuration to set session cookies with HttpOnly and Secure attributes.
Network Segmentation and Access Controls
allRestrict access to Alteryx Server web interface to trusted networks only.
Configure firewall rules to limit access to specific IP ranges or VLANs.
🧯 If You Can't Patch
- Isolate Alteryx Server behind a VPN or zero-trust network access solution.
- Implement web application firewall (WAF) rules to detect and block token theft attempts.
🔍 How to Verify
Check if Vulnerable:
Inspect browser developer tools on Alteryx Server web interface to see if session tokens are stored in localStorage without HttpOnly flags.Check Version:
Check Alteryx Server version in administration console or via 'alteryx --version' command if available.Verify Fix Applied:
After applying workarounds, verify that session cookies are marked HttpOnly and Secure, and localStorage no longer contains sensitive tokens.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to localStorage APIs in web server logs
- Multiple failed login attempts followed by successful logins from different IPs
Network Indicators:
- Unexpected JavaScript requests to session token endpoints
- Traffic to Alteryx Server from unauthorized IP ranges
SIEM Query:
source="alteryx_logs" AND (event="localStorage_access" OR event="session_token_request")