CVE-2025-66033 is a vulnerability classified under CWE-401 (Missing Release of Memory after Effective Lifetime) affecting the Okta Java Management SDK (okta-sdk-java) versions from 21.0.0 up to but not including 24.0.1. The SDK facilitates interactions with the Okta management API, commonly used for identity and access management automation. The flaw arises in specific multithreaded implementations where threads spawned for handling API requests are not properly cleaned up or released after the requests complete. This leads to memory leaks as the application accumulates unreleased thread resources over time. The consequence is progressive degradation of application performance and availability, which can culminate in denial-of-service (DoS) conditions, especially in long-running applications under sustained load. The vulnerability does not expose data confidentiality or integrity but impacts system availability. Exploitation requires network access with low privileges and does not require user interaction, making it feasible in automated or unattended environments. The issue was identified and fixed in version 24.0.1 of the SDK. No known exploits are currently reported in the wild, but organizations relying on affected versions for critical identity management functions should consider this a significant operational risk.

For European organizations, the primary impact of CVE-2025-66033 is on the availability and reliability of applications that integrate with Okta via the Java SDK in multithreaded, long-running environments. Organizations using Okta for identity and access management automation, especially those with high transaction volumes or continuous operation, may experience gradual performance degradation leading to service outages or denial-of-service conditions. This can disrupt user authentication, authorization workflows, and administrative operations, potentially impacting business continuity. The vulnerability does not compromise data confidentiality or integrity, but the resulting service unavailability could affect compliance with regulations such as GDPR if identity services are critical to data access controls. Additionally, organizations in sectors with stringent uptime requirements (e.g., finance, healthcare, critical infrastructure) may face operational and reputational risks. The lack of known exploits reduces immediate threat but does not eliminate risk due to the ease of triggering memory leaks in affected environments.

European organizations should immediately assess their use of the Okta Java Management SDK, specifically checking for versions between 21.0.0 and 24.0.0 in multithreaded, long-running applications. The primary mitigation is to upgrade to version 24.0.1 or later, where the memory leak issue is resolved. Until upgrade is possible, organizations should consider implementing application-level monitoring for memory usage and thread counts to detect abnormal resource consumption early. Limiting the lifespan of processes using the affected SDK or restarting services periodically can mitigate the risk of sustained memory leaks. Developers should review their multithreaded usage patterns of the ApiClient to ensure proper thread lifecycle management. Additionally, applying resource quotas and employing container orchestration features (e.g., Kubernetes pod restarts) can help contain the impact. Finally, organizations should maintain up-to-date incident response plans to address potential denial-of-service scenarios stemming from this vulnerability.