https://github.com/advisories/GHSA-x39x-9qw5-ghrf
> The core issue stems from the line domain = domain.split(':')[0], which allows an attacker to manipulate basic authentication credentials by providing a username:password pair. By replacing the username with a whitelisted domain, the check can be bypassed, even though the actual domain remains different.
So consider https://example.com:pass@google.com
This URL goes to google.com (paste it in your browser to see), but the library will consider this a URL that goes to example.com, which it doesn't.