Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to *.example.com, a request to [::1%25.example.com]:80` will incorrectly match and not be proxied.
The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.