Broken Authentication in Django CVE-2007-0405 [CVE-2007-0405]

CVE-2007-0405 describes a broken authentication scenario in Django 0.95 where the LazyUser class used by AuthenticationMiddleware did not properly cache the username across requests. This could allow a remotely authenticated user to reuse a cached identity and gain the privileges of another user. In real deployments, this manifested as cross-request leakage of user identity, enabling privilege escalation within the application. The patch for Django fixed how user resolution is cached and ensured per-request freshness, preventing one request from influencing the authentication state seen by subsequent requests. This remediation guide references the CVE directly and shows how to apply the fix in current Django code paths. In practice, the vulnerability stems from a shared or static cache that persisted a username beyond the lifetime of a single HTTP request. Attackers could exploit the cache by initiating multiple authenticated sessions or requests and cause the system to treat subsequent requests as if they belonged to a different user. The fix is to remove cross-request caching of authentication state, or to scope any caching to a per-request context (e.g., thread-local or request-scoped storage) so that each HTTP request resolves the correct user independently. Modern Django versions rely on per-request authentication state via request.user and the session backend, eliminating the ability for a cached username to leak across requests. To remediate in real Django code, upgrade to a patched Django release or apply an equivalent patch to AuthenticationMiddleware that eliminates cross-request caching of user identity. The key pattern is to avoid any module-level or process-wide caches of the authenticated user and to always derive request.user from the current session data for each request. Below are a concrete code example and steps you can follow to implement the fix safely and verify the protection.