The vulnerability stems from improper parsing of userinfo containing '@' and ':' characters. The pre-patch code in index.js used split(':') to separate username/password and did not properly handle encoded characters, allowing attackers to craft malicious auth strings that bypass authorization checks. The commit diff shows critical fixes: 1) Using lastIndexOf('@') instead of indexOf('@') to prevent ambiguous parsing, and 2) Adding URI component encoding/decoding when handling auth components. These changes directly address the authorization bypass by ensuring proper handling of special characters in user-controlled auth data.