The vulnerability stemmed from how URLs were constructed using new URL() with unsanitized user input. The original implementation in getUrl didn't handle protocol-relative URLs (starting with //) or backslashes properly, allowing malicious paths to be interpreted as absolute URLs. The fix introduced a normalizeUrl function that replaces double slashes and backslashes before URL construction, which was added to prevent this CSRF bypass vector. The test cases in http.unit.ts explicitly demonstrate how the vulnerable version would have incorrectly resolved '//attacker.com' to an external domain rather than a path under the application's origin.