Executive Summary

CVE-2026-3902 is a low-severity security vulnerability in Django's ASGIRequest handling related to header spoofing via underscore/hyphen conflation.

ASGIRequest normalizes HTTP header names by converting hyphens to underscores following WSGI conventions. This allows an attacker to spoof security-sensitive headers that use hyphens by sending headers with underscores instead.

This spoofing bypasses protections in reverse proxies that strip such headers because ASGI lacks the uniform expectation that servers or proxies prevent ambiguous mappings, unlike WSGI.

To mitigate this, Django now ignores headers containing underscores in ASGIRequest, aligning with the behavior of the ASGI reference server Daphne.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a remote attacker to spoof security-sensitive HTTP headers by exploiting the ambiguous mapping of headers with hyphens and underscores.

By spoofing headers, an attacker could bypass protections implemented by reverse proxies that normally strip or block such headers, potentially leading to unauthorized access or manipulation of request handling.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves spoofing HTTP headers by exploiting the ambiguous mapping of headers with hyphens and underscores in ASGIRequest. Detection involves monitoring HTTP requests for suspicious headers containing underscores that could be used to bypass protections.

You can inspect incoming HTTP headers on your server or proxy to identify headers with underscores that might be spoofing security-sensitive headers. For example, using command-line tools like tcpdump or tshark to capture HTTP traffic and grep or awk to filter headers with underscores.

• Use tcpdump to capture HTTP traffic: tcpdump -A -s 0 'tcp port 80 or tcp port 443'
• Filter captured traffic for headers containing underscores: grep -i '_'
• Alternatively, use tshark to extract HTTP headers: tshark -Y http -T fields -e http.host -e http.request.full_uri -e http.header

Look specifically for headers that should normally contain hyphens but appear with underscores, as these may indicate attempts to exploit the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Django to a fixed version that addresses this vulnerability.

• Upgrade Django to version 6.0.4 or later if using the 6.0 series.
• Upgrade Django to version 5.2.13 or later if using the 5.2 series.
• Upgrade Django to version 4.2.30 or later if using the 4.2 series.

These versions include a fix where Django ignores headers containing underscores in ASGIRequest, preventing header spoofing.

Additionally, ensure that your reverse proxies (e.g., nginx) are configured to reject or strip headers with underscores, as many proxies protect against this by default.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows remote attackers to spoof security-sensitive HTTP headers by exploiting ambiguous mapping of headers with hyphens and underscores in Django's ASGIRequest handling. This spoofing can potentially bypass protections in reverse proxies, which may lead to unauthorized access or manipulation of sensitive data.

Such unauthorized access or manipulation of data could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data integrity, confidentiality, and access. If exploited, this vulnerability might lead to violations of these regulations due to improper handling or exposure of protected data.

To mitigate this risk and maintain compliance, Django has updated ASGIRequest to ignore headers containing underscores, aligning with the behavior of the ASGI reference server Daphne. Users are encouraged to upgrade to the fixed versions (6.0.4, 5.2.13, and 4.2.30) to prevent exploitation.

Useful 0 Not Useful 0