CVE-2025-28244
Published: 10 July 2025
Summary
CVE-2025-28244 is a high-severity Insecure Storage of Sensitive Information (CWE-922) vulnerability in Alteryx Alteryx Server. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked in the top 33.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and AC-12 (Session Termination).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 mandates protecting authenticator content from unauthorized disclosure and modification, directly addressing the insecure permissions allowing theft of session tokens from localStorage.
AC-12 enforces automatic session termination after defined conditions, limiting the viability window of stolen session tokens for account takeover.
IA-11 requires re-authentication for privileged transactions, restricting the scope of damage from account takeover using stolen session tokens.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insecure localStorage permissions enable direct theft of session/access tokens via malicious webpage (T1528/T1539), leading to account takeover with valid accounts (T1078).
NVD Description
Insecure Permissions vulnerability in the Local Storage in Alteryx Server 2023.1.1.460 allows remote attackers to obtain valid user session tokens from localStorage, leading to account takeover
Deeper analysisAI
CVE-2025-28244 is an Insecure Permissions vulnerability (CWE-922) affecting the Local Storage component in Alteryx Server version 2023.1.1.460. It enables remote attackers to access valid user session tokens stored in localStorage, potentially resulting in full account takeover. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and significant impacts on confidentiality, integrity, and availability.
Remote attackers without prior authentication can exploit this issue by tricking authenticated users into performing an action that exposes localStorage contents, such as visiting a malicious webpage. Successful exploitation grants the attacker the victim's session token, allowing unauthorized access to the Alteryx Server account with the same privileges as the targeted user, including potential data exfiltration, workflow manipulation, or further lateral movement within the environment.
Vendor guidance is available via the Alteryx security advisory at https://alteryx.com, while a detailed technical analysis and potential proof-of-concept are provided in a GitHub Gist at https://gist.github.com/DylanGrl/2771afe86bdd2665b83f28c1ff5c12eb. Security practitioners should consult these resources for specific patch instructions, workarounds, or upgrade paths to mitigate the risk.
Details
- CWE(s)