[Django] #37101: Vary header cache key collision from missing delimiter
20 views
Skip to first unread message
Django
May 15, 2026, 10:41:53 AMMay 15
to django-...@googlegroups.com
#37101: Vary header cache key collision from missing delimiter
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Type: Bug
Status: new | Component: Core
| (Cache system)
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
When a cached view varies on multiple headers, the values of those headers
are concatenated together in the cache key. There is no delimiter, meaning
the cache keys could overlap:
{{{
X-Region: US
X-Tenant: victim-corp
}}}
{{{
X-Region: U
X-Tenant: Svictim-corp
}}}
The above 2 examples would result in the same cache key, despite being
different values. Changes to the cache key should be made to ensure values
in this way don't collide.
----
This was previously reported to the Security Team by GeonHa. However,
because it requires in depth knowledge of the system, a lack of user
validation and similar values, it is not considered a vulnerability.
--
Ticket URL: <https://code.djangoproject.com/ticket/37101>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Type: Bug
Status: new | Component: Core
| (Cache system)
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
When a cached view varies on multiple headers, the values of those headers
are concatenated together in the cache key. There is no delimiter, meaning
the cache keys could overlap:
{{{
X-Region: US
X-Tenant: victim-corp
}}}
{{{
X-Region: U
X-Tenant: Svictim-corp
}}}
The above 2 examples would result in the same cache key, despite being
different values. Changes to the cache key should be made to ensure values
in this way don't collide.
----
This was previously reported to the Security Team by GeonHa. However,
because it requires in depth knowledge of the system, a lack of user
validation and similar values, it is not considered a vulnerability.
--
Ticket URL: <https://code.djangoproject.com/ticket/37101>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
May 15, 2026, 12:08:53 PMMay 15
to django-...@googlegroups.com
#37101: Vary header cache key collision from missing delimiter
-------------------------------------+------------------------------------
Reporter: Jake Howard | Owner: (none)
-------------------------------------+------------------------------------
Type: Bug | Status: new
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution:
Component: Core (Cache system) | Version: 6.0
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+------------------------------------
Changes (by Sarah Boyce):
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+------------------------------------
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/37101#comment:1>
Django
May 15, 2026, 1:00:54 PMMay 15
to django-...@googlegroups.com
#37101: Vary header cache key collision from missing delimiter
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: gonas0919
Type: Bug | Status: assigned
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by gonas0919):
* owner: (none) => gonas0919
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/37101#comment:2>
Django
Jun 10, 2026, 1:02:17 PMJun 10
to django-...@googlegroups.com
#37101: Vary header cache key collision from missing delimiter
-------------------------------------+------------------------------------
Reporter: Jake Howard | Owner: gonas
Type: Bug | Status: assigned
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+------------------------------------
Comment (by Jason Judkins):
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+------------------------------------
@Gonas Hey, are you still working on this? Happy to collaborate or take it
over if you've moved on.
--
Ticket URL: <https://code.djangoproject.com/ticket/37101#comment:3>
Django
Jun 10, 2026, 1:23:45 PMJun 10
to django-...@googlegroups.com
#37101: Vary header cache key collision from missing delimiter
-------------------------------------+------------------------------------
Reporter: Jake Howard | Owner: gonas
Type: Bug | Status: assigned
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+------------------------------------
Comment (by Jacob Walls):
-------------------------------------+------------------------------------
Reporter: Jake Howard | Owner: gonas
Type: Bug | Status: assigned
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+------------------------------------
We're hoping to land a fix for this before the 6.1 beta (June 24), so if
we don't have a PR by early next week, I'll need to pick it up myself.
Happy for you to make a start, Jason.
--
Ticket URL: <https://code.djangoproject.com/ticket/37101#comment:4>
Django
Jun 18, 2026, 11:39:42 AM (7 days ago) Jun 18
to django-...@googlegroups.com
#37101: Vary header cache key collision from missing delimiter
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Jacob
| Walls
Type: Bug | Status: assigned
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Jacob Walls):
* owner: gonas => Jacob Walls
--
Ticket URL: <https://code.djangoproject.com/ticket/37101#comment:5>
Django
Jun 18, 2026, 2:50:42 PM (7 days ago) Jun 18
to django-...@googlegroups.com
#37101: Vary header cache key collision from missing delimiter
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Jacob
| Walls
Type: Bug | Status: assigned
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Jacob
| Walls
Type: Bug | Status: assigned
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
* has_patch: 0 => 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
Comment:
[https://github.com/django/django/pull/21516 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/37101#comment:6>
Django
Jun 23, 2026, 1:04:53 PM (2 days ago) Jun 23
to django-...@googlegroups.com
#37101: Vary header cache key collision from missing delimiter
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Jacob
| Walls
Type: Bug | Status: assigned
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Jacob
| Walls
Type: Bug | Status: assigned
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):
-------------------------------------+-------------------------------------
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/37101#comment:7>
Django
Jun 23, 2026, 2:36:20 PM (2 days ago) Jun 23
to django-...@googlegroups.com
#37101: Vary header cache key collision from missing delimiter
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Jacob
| Walls
Type: Bug | Status: assigned
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Jacob
| Walls
Type: Bug | Status: assigned
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
-------------------------------------+-------------------------------------
* needs_better_patch: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/37101#comment:8>
Django
Jun 23, 2026, 5:12:16 PM (2 days ago) Jun 23
to django-...@googlegroups.com
#37101: Vary header cache key collision from missing delimiter
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Jacob
| Walls
Type: Bug | Status: assigned
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Jacob
| Walls
Type: Bug | Status: assigned
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/37101#comment:9>
Django
Jun 24, 2026, 10:00:30 AM (yesterday) Jun 24
to django-...@googlegroups.com
#37101: Vary header cache key collision from missing delimiter
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Jacob
| Walls
Type: Bug | Status: closed
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Jacob
| Walls
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jacob Walls <jacobtylerwalls@…>):
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
In [changeset:"02f94d2a899b6573f90dee5417afb8a763ee7f25" 02f94d2]:
{{{#!CommitTicketReference repository=""
revision="02f94d2a899b6573f90dee5417afb8a763ee7f25"
Refs #37101, #37174 -- Added release note for cache misses when varying on
arguments.
Thanks Natalia Bidart for the review.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/37101#comment:11>
Django
Jun 24, 2026, 10:00:31 AM (yesterday) Jun 24
to django-...@googlegroups.com
#37101: Vary header cache key collision from missing delimiter
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Jacob
| Walls
Type: Bug | Status: closed
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls <jacobtylerwalls@…>):
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Jacob
| Walls
Type: Bug | Status: closed
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* resolution: => fixed
* status: assigned => closed
Comment:
In [changeset:"65acb3cc2e76c238f5aee38d22626d92171a2f7c" 65acb3cc]:
{{{#!CommitTicketReference repository=""
revision="65acb3cc2e76c238f5aee38d22626d92171a2f7c"
Fixed #37101 -- Used netstring delimiter between vary on headers for
cached pages.
This prevents collisions between header values that concatenate to the
same thing.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/37101#comment:10>
Django
Jun 24, 2026, 10:02:33 AM (yesterday) Jun 24
to django-...@googlegroups.com
#37101: Vary header cache key collision from missing delimiter
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Jacob
| Walls
Type: Bug | Status: closed
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jacob Walls <jacobtylerwalls@…>):
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Jacob
| Walls
Type: Bug | Status: closed
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
In [changeset:"8ae64fc040f1da7737f389a0d815808ffade2bd8" 8ae64fc]:
{{{#!CommitTicketReference repository=""
revision="8ae64fc040f1da7737f389a0d815808ffade2bd8"
[6.1.x] Fixed #37101 -- Used netstring delimiter between vary on headers
for cached pages.
This prevents collisions between header values that concatenate to the
same thing.
Backport of 65acb3cc2e76c238f5aee38d22626d92171a2f7c from main.
This prevents collisions between header values that concatenate to the
same thing.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/37101#comment:12>
Django
Jun 24, 2026, 10:02:35 AM (yesterday) Jun 24
to django-...@googlegroups.com
#37101: Vary header cache key collision from missing delimiter
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Jacob
| Walls
Type: Bug | Status: closed
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jacob Walls <jacobtylerwalls@…>):
In [changeset:"e4cda2e5dd314bb5f9a15b6b4d74a14a87ae1dec" e4cda2e]:
-------------------------------------+-------------------------------------
Reporter: Jake Howard | Owner: Jacob
| Walls
Type: Bug | Status: closed
Component: Core (Cache system) | Version: 6.0
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Jacob Walls <jacobtylerwalls@…>):
{{{#!CommitTicketReference repository=""
revision="e4cda2e5dd314bb5f9a15b6b4d74a14a87ae1dec"
[6.1.x] Refs #37101, #37174 -- Added release note for cache misses when
varying on arguments.
Thanks Natalia Bidart for the review.
Backport of 02f94d2a899b6573f90dee5417afb8a763ee7f25 from main.
Thanks Natalia Bidart for the review.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/37101#comment:13>
Reply all
Reply to author
Forward
0 new messages