Workers SDK Issue Reports

← Back to Dashboard

#7669 KV key operations fail with 403 when key contains "..."

Recommendation:KEEP OPEN
Difficulty:n/a
Reasoning:

Confirmed bug: maintainer reproduced. Wrangler correctly URL-encodes keys but API/WAF returns 403 for keys with multiple dots. Dashboard works. Similar fix exists for secrets (PR #10668).

Suggested Action:

Keep open - requires API-side fix similar to secrets url_encoded parameter

View on GitHub →

Analysis Report

Issue Review: cloudflare/workers-sdk#7669

Summary

KV key operations (delete/put) fail with 403 Forbidden when keys contain multiple consecutive dots (e.g., "...").

Findings

  • Created: 2025-01-05
  • Updated: 2025-10-30
  • Version: 3.80.4 (reported) / 3.99.0 (confirmed) → 4.60.0 (current)
  • Component: wrangler (KV commands)
  • Labels: bug
  • Comments: 2

Key Evidence

  • Reporter confirms issue: Key ending with "..." fails with 403 on kv key delete
  • Maintainer confirmation: @edmundhung (Cloudflare member) reproduced and confirmed the issue also affects kv key put. Issue occurs when there's more than one consecutive dot.
  • Dashboard works: The same keys can be added/deleted via the Cloudflare dashboard, indicating this is an API/proxy-level issue, not a KV storage limitation.
  • Wrangler code is correct: The deleteKVKeyValue function in packages/wrangler/src/kv/helpers.ts properly uses encodeURIComponent(key) for URL encoding.
  • No fix found: No PRs or changelog entries reference this issue. The recent PR #10668 (secrets URL encoding) used a similar approach but only for secrets, not KV.
  • Root cause hypothesis: The 403 Forbidden response (with HTML body) suggests a WAF or edge proxy is blocking requests that look like path traversal attempts (e.g., %2E%2E%2E decodes to ...).

Potential Workaround

Similar to PR #10668 for secrets, the API may need to support a url_encoded query parameter to signal that the path is intentionally encoded, bypassing WAF rules.

Recommendation

Status: KEEP OPEN

Reasoning: This is a confirmed, reproducible bug acknowledged by a Cloudflare maintainer. The issue is likely server-side (API/WAF level) rather than a wrangler bug. The wrangler code correctly encodes the key, but the API/edge infrastructure returns 403 for keys with multiple dots. No fix has been implemented yet.

Action: This issue should remain open. It may require coordination with the KV API team to add support for URL-encoded keys similar to how PR #10668 fixed secrets with complex names. Consider linking to PR #10668 as a reference implementation for the fix pattern.

Suggested Comment

This issue is still relevant and reproducible as of wrangler 4.60.0. The wrangler code correctly URL-encodes the key, but the API returns 403 Forbidden.

A similar issue was fixed for secrets in PR #10668 by adding a url_encoded query parameter. The same approach might be needed for the KV API endpoints.

Is there a tracking issue on the API side for this?

Notes & Feedback (0)

No notes yet.

Add Note