Summary
makeDeduplicationKey in lib/util/cache.js:376 constructs keys using : and = delimiters without escaping header names or values. Different header sets can produce identical keys, causing response confusion when the deduplicate interceptor is enabled.
Reproduction
Headers {a:"x:b=y"} produces the same dedup key as {a:"x", b:"y"}:
- Key 1:
GET:https://example.com:a=x:b=y
- Key 2:
GET:https://example.com:a=x:b=y
Both are identical despite different header sets.
Impact
When cache deduplication is used, concurrent requests with colliding keys share a dedup slot, potentially receiving the wrong response. Impact depends on what headers differ (auth headers, content negotiation, etc).
Suggested Fix
Escape : and = in header names/values before key construction, or use a collision-resistant format (e.g., JSON.stringify sorted entries, or length-prefixed encoding).
Affected Component
Deduplicate interceptor (lib/util/cache.js)
Found during automated security audit.
Summary
makeDeduplicationKeyinlib/util/cache.js:376constructs keys using:and=delimiters without escaping header names or values. Different header sets can produce identical keys, causing response confusion when the deduplicate interceptor is enabled.Reproduction
Headers
{a:"x:b=y"}produces the same dedup key as{a:"x", b:"y"}:GET:https://example.com:a=x:b=yGET:https://example.com:a=x:b=yBoth are identical despite different header sets.
Impact
When cache deduplication is used, concurrent requests with colliding keys share a dedup slot, potentially receiving the wrong response. Impact depends on what headers differ (auth headers, content negotiation, etc).
Suggested Fix
Escape
:and=in header names/values before key construction, or use a collision-resistant format (e.g.,JSON.stringifysorted entries, or length-prefixed encoding).Affected Component
Deduplicate interceptor (
lib/util/cache.js)Found during automated security audit.