type confusion for product_list[a]=b

[ElectricNroff]

for cveawg-test.mitre.org as of 2025-07-30T14:50:00Z
( may correspond to the version announced on Slack on 2025-07-17 as
"the bug fixes / testing updates for the user registry MVP" but
there is no tag for this software at
https://github.com/CVEProject/cve-services/tags )

request:

curl -X PUT -G \
--data-urlencode 'product_list[a]=b' \
--data-urlencode 'registry=true' \
-H "CVE-API-ORG: ..." \
-H "CVE-API-USER: ..." \
-H "CVE-API-KEY: ..." \
https://cveawg-test.mitre.org/api/org/exampleCNA

outcome:

HTTP/2 400

{"message":"Parameters were invalid","details":[{"value":{"a":"b"},
"msg":"val.includes is not a function","param":"product_list",
"location":"query"},{"value":{"a":"b"},"msg":"Invalid value",
"param":"product_list","location":"query"}]}

In other words, product_list[a]=b is correctly interpreted as a product_list value of {"a":"b"} but then the server implementation tries to use the includes method in a situation where the includes method is not defined for the data type. The error message should report that {"a":"b"} has the wrong data type for product_list.