GHSA-j5gq-897m-2rff

Source

https://github.com/advisories/GHSA-j5gq-897m-2rff

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-j5gq-897m-2rff/GHSA-j5gq-897m-2rff.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-j5gq-897m-2rff

Aliases

CVE-2025-67505

Published

2025-12-10T21:31:52Z

Modified

2025-12-10T21:56:16.380140Z

Severity

8.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L CVSS Calculator

Summary

Race condition in the Okta Java SDK

Details

Description

In the Okta Java SDK, race conditions may arise from concurrent requests using the ApiClient class. This could cause a status code or response header from one request’s response to influence another request’s response.

Affected product and versions

You may be affected if you meet the following preconditions: - Using the Okta Java SDK between versions 11.0.0 and 20.0.0, and - Implementing a multithreaded application with the ApiClient class where the response status code is used in access control flows

Resolution

Upgrade Okta/okta-sdk-java to versions 21.0.0 or greater.

Database specific

{
    "cwe_ids": [
        "CWE-362"
    ],
    "github_reviewed_at": "2025-12-10T21:31:52Z",
    "severity": "HIGH",
    "nvd_published_at": null,
    "github_reviewed": true
}

References

Affected packages

Maven / com.okta.sdk:okta-sdk-root

Package

Name: com.okta.sdk:okta-sdk-root; View open source insights on deps.dev
Purl: pkg:maven/com.okta.sdk/okta-sdk-root

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0

Fixed

20.0.1

Affected versions

11.*

11.0.0

11.0.2

11.0.3

12.*

12.0.0

12.0.1

12.0.2

13.*

13.0.0

13.0.1

13.0.2

13.0.3

14.*

14.0.0

15.*

15.0.0

16.*

16.0.0

17.*

17.0.0

18.*

18.0.0

19.*

19.0.0

19.0.1

20.*

20.0.0

Database specific

last_known_affected_version_range

"<= 20.0.0"