In URI.js the hostname can be spoofed by using a backslash
\ character followed by an at
@ character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL
https://expected-example.com\@observed-example.com will incorrectly return
observed-example.com if using an affected version.