The vulnerability lies in the parsing of URLs within UriComponentsBuilder, specifically related to the USERINFO_PATTERN. The provided patch updates this regex. Therefore, public methods of UriComponentsBuilder that accept string URLs (like fromUriString, fromHttpUrl) and trigger the parsing logic are the primary vulnerable functions. The build() method, which finalizes the URI, and any internal parsing methods (like a hypothetical parseUriString) that use the pattern are also relevant as they are part of the vulnerable code execution path. The change in the regex from ([^@\\[/?#]*) to ([^@/?#]*) indicates that the previous pattern allowed characters that could be exploited to bypass host validation by manipulating the userinfo part of the URL.