5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66033

CVE-2025-66033: Improper Memory Cleanup in the Okta Java SDK

Description

In the Okta Java SDK, specific multithreaded implementations may encounter memory issues as threads are not properly cleaned up after requests are completed. Over time, this can degrade performance and availability in long-running applications and may result in a denial-of-service condition under sustained load.

Affected product and versions

You may be affected by this vulnerability if you meet the following preconditions:

Using the Okta Java SDK between versions 21.0.0 and 24.0.0, and
Implementing a long-running application using the ApiClient in a multi-threaded manner.

Resolution

Upgrade Okta/okta-sdk-java to versions 24.0.1 or greater.

Acknowledgement

Okta would like to thank Andrew Pikler (pyckle) for their discovery and responsible disclosure.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66033

CVE-2025-66033:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.okta.sdk:okta-sdk-root	maven	>= 21.0.0, <= 24.0.0	24.0.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a memory leak in the Okta Java SDK caused by improper state management in the ApiClient class. The root cause was the use of ConcurrentHashMap instances (lastStatusCodeByThread and lastResponseHeadersByThread) to store response data, using the thread ID as the key.

In long-running, multi-threaded applications (e.g., using thread pools), threads are created and destroyed, but the entries in these maps were never removed. This resulted in an unbounded growth of the maps, consuming memory and eventually leading to a denial-of-service.

The core vulnerable function is com.okta.sdk.resource.client.ApiClient.processResponse, which populated these maps on every API call. The methods getStatusCode and getResponseHeaders read from these maps. The legacy pagination helper, com.okta.sdk.helper.PaginationUtil, used apiClient.getResponseHeaders() to manage pagination, making it a primary trigger for the vulnerable logic.

The patch resolves this by replacing the ConcurrentHashMaps with ThreadLocal variables. ThreadLocal ensures that the stored data is scoped to the lifecycle of the thread and is automatically garbage-collected when the thread terminates, thus fixing the leak. The patch also introduces a new thread-safe, stateless pagination mechanism (PagedIterable) and deprecates the old, vulnerable methods.

Vulnerable functions

com.okta.sdk.resource.client.ApiClient.processResponse

api/src/main/resources/custom_templates/ApiClient.mustache

This function was responsible for populating the `lastStatusCodeByThread` and `lastResponseHeadersByThread` maps. It used the current thread's ID as a key but never removed the entries. In a long-running, multi-threaded application, this causes a memory leak as the maps grow indefinitely with data from completed threads.

com.okta.sdk.resource.client.ApiClient.getResponseHeaders

api/src/main/resources/custom_templates/ApiClient.mustache

This function retrieved response headers from the `lastResponseHeadersByThread` map, which was the source of the memory leak. The old pagination logic relied on this method to get the 'next' page URL, making it a key part of the vulnerable workflow.

com.okta.sdk.resource.client.ApiClient.getStatusCode

api/src/main/resources/custom_templates/ApiClient.mustache

This function retrieved the status code from the `lastStatusCodeByThread` map. While a read operation, its use is indicative of the faulty stateful pattern that caused the memory leak.

com.okta.sdk.helper.PaginationUtil.getAfter

api/src/main/java/com/okta/sdk/helper/PaginationUtil.java

This public utility function was used for manual pagination and relied on the vulnerable, stateful behavior of the ApiClient. It calls `getNextPage`, which in turn calls the problematic `apiClient.getResponseHeaders()` method, thus triggering the read from the leaking map.

com.okta.sdk.helper.PaginationUtil.getNextPage

api/src/main/java/com/okta/sdk/helper/PaginationUtil.java

This private helper function directly called `apiClient.getResponseHeaders()` to retrieve the 'next' link from the response headers. This makes it a direct participant in the vulnerable workflow that reads from the leaking `lastResponseHeadersByThread` map in the ApiClient.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66033: Improper Memory Cleanup in the Okta Java SDK

Description

Affected product and versions

Resolution

Acknowledgement

CVE-2025-66033:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

5.3

5.3

Basic Information

Basic Information

Technical Details

CVE-2025-66033: Improper Memory Cleanup in the Okta Java SDK

Description

Affected product and versions

Resolution

Acknowledgement

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI