CVE-2025-66033 identifies a memory management vulnerability in the Okta Java Management SDK, specifically versions 21.0.0 through 24.0.0. The root cause is improper cleanup of threads after API requests in multithreaded environments, resulting in unreleased memory (CWE-401: Missing Release of Memory after Effective Lifetime). Over time, this memory leak accumulates, leading to degraded application performance and potentially causing denial-of-service (DoS) conditions in long-running applications that utilize the ApiClient concurrently across multiple threads. The vulnerability does not impact confidentiality or integrity but directly affects availability. Exploitation requires network access and low privileges (PR:L), with high attack complexity (AC:H), and no user interaction (UI:N). The vulnerability is fixed in version 24.0.1 of the SDK. No known exploits have been reported in the wild, but the risk is significant for environments relying on continuous, multithreaded API interactions with Okta services. This vulnerability is particularly relevant for organizations using Okta for identity and access management in Java-based applications, especially those with high concurrency and uptime requirements.

For European organizations, the primary impact is on availability and performance of identity management systems that integrate Okta via the Java SDK in multithreaded applications. Memory leaks can cause gradual degradation, leading to application crashes or denial-of-service, disrupting authentication and authorization workflows. This can affect business continuity, especially in sectors relying heavily on Okta for secure access management such as finance, healthcare, and government. The vulnerability does not expose sensitive data or allow privilege escalation, but service outages can indirectly impact operational security and compliance with regulations like GDPR that require availability and integrity of systems. Organizations running long-lived Java applications with Okta SDK versions prior to 24.0.1 are at risk, particularly those with high transaction volumes or sustained API usage.

The primary mitigation is to upgrade the Okta Java Management SDK to version 24.0.1 or later, where the memory leak issue is resolved. Organizations should audit their usage of the ApiClient in multithreaded contexts and refactor code to ensure proper thread lifecycle management if upgrading is delayed. Implement monitoring of application memory usage and thread counts to detect abnormal growth indicative of leaks. Employ automated restarts or container orchestration strategies to recycle affected services proactively. Additionally, conduct thorough testing of long-running applications under load to identify potential memory exhaustion. Network segmentation and limiting access to Okta API endpoints can reduce exposure. Finally, maintain up-to-date dependency management and vulnerability scanning to detect usage of vulnerable SDK versions.