CVE-2025-66033

Description

Okta Java Management SDK facilitates interactions with the Okta management API. In versions 21.0.0 through 24.0.0, specific multithreaded implementations may encounter memory issues as threads are not properly cleaned up after requests are completed. Over time, this can degrade performance and availability in long-running applications and may result in a denial-of-service condition under sustained load. In addition to using the affected versions, users may be at risk if they are implementing a long-running application using the ApiClient in a multi-threaded manner. This issue is fixed in version 24.0.1.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:okta:java_management_sdk:*:*:*:*:*:*:*:* - VULNERABLE

21.0.0 <= Okta Java Management SDK < 24.0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# POC for CVE-2025-66033
# 多线程并发请求触发内存泄漏
import concurrent.futures

def trigger_leak():
    # 模拟API调用
    response = requests.get('https://api.okta.com/api/v1/users')
    return response

# 启动大量并发线程
with concurrent.futures.ThreadPoolExecutor(max_workers=100) as executor:
    futures = [executor.submit(trigger_leak) for _ in range(1000)]
    concurrent.futures.wait(futures)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66033
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66033
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66033/
[4] VulDB https://vuldb.com/cve/CVE-2025-66033
[5] https://github.com/okta/okta-sdk-java/commit/1daa9229a70fc38fb252aeaa637f82d0b0729b3f
[6] https://github.com/okta/okta-sdk-java/security/advisories/GHSA-qhr6-6cgv-6638

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66033", "sourceIdentifier": "[email protected]", "published": "2025-12-10T22:16:27.520", "lastModified": "2026-03-06T19:36:51.520", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Okta Java Management SDK facilitates interactions with the Okta management API. In versions 21.0.0 through 24.0.0, specific multithreaded implementations may encounter memory issues as threads are not properly cleaned up after requests are completed. Over time, this can degrade performance and availability in long-running applications and may result in a denial-of-service condition under sustained load. In addition to using the affected versions, users may be at risk if they are implementing a long-running application using the ApiClient in a multi-threaded manner. This issue is fixed in version 24.0.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:okta:java_management_sdk:*:*:*:*:*:*:*:*", "versionStartIncluding": "21.0.0", "versionEndExcluding": "24.0.1", "matchCriteriaId": "23BCEB28-B29D-4F50-9BC4-CB2B9A59FBCC"}]}]}], "references": [{"url": "https://github.com/okta/okta-sdk-java/commit/1daa9229a70fc38fb252aeaa637f82d0b0729b3f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/okta/okta-sdk-java/security/advisories/GHSA-qhr6-6cgv-6638", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}