diff --git a/debian/changelog b/debian/changelog
index fbf71114ac5146af1f2e594725ce03107b77a515..a6214b575b70138e372ec90001a6722926e22cc0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+python-urllib3 (1.25.8-ok3) yangtze; urgency=medium
+
+  * jyadll CVE-2021-33503 安全更新:在鉴权模块的URL中添加@参数导致资源管理错误
+
+ -- zhanghongyang <zhanghongyang@bupt.edu.cn>  Tue, 21 Feb 2023 20:57:51 +0800
+
 python-urllib3 (1.25.8-ok2) yangtze; urgency=medium
 
   * jyadll CVE-2020-26137 安全更新:可以在putrequest()的第一个参数中插入CR和LF控制字符
diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
index 6a8a8f9a35e86e2466acfced607d59b2a616551b..61e7c5572a35326d2711bfaf1159405fa49b148c 100644
--- a/src/urllib3/util/url.py
+++ b/src/urllib3/util/url.py
@@ -63,12 +63,12 @@ IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$")
 BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$")
 ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$")
 
-SUBAUTHORITY_PAT = (u"^(?:(.*)@)?(%s|%s|%s)(?::([0-9]{0,5}))?$") % (
+_HOST_PORT_PAT = ("^(%s|%s|%s)(?::([0-9]{0,5}))?$") % (
     REG_NAME_PAT,
     IPV4_PAT,
     IPV6_ADDRZ_PAT,
 )
-SUBAUTHORITY_RE = re.compile(SUBAUTHORITY_PAT, re.UNICODE | re.DOTALL)
+_HOST_PORT_RE = re.compile(_HOST_PORT_PAT, re.UNICODE | re.DOTALL)
 
 UNRESERVED_CHARS = set(
     "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-~"
@@ -365,7 +365,9 @@ def parse_url(url):
             scheme = scheme.lower()
 
         if authority:
-            auth, host, port = SUBAUTHORITY_RE.match(authority).groups()
+            auth, _, host_port = authority.rpartition("@")
+            auth = auth or None
+            host, port = _HOST_PORT_RE.match(host_port).groups()
             if auth and normalize_uri:
                 auth = _encode_invalid_chars(auth, USERINFO_CHARS)
             if port == "":
diff --git a/test/test_util.py b/test/test_util.py
index 61ba49489a5f1c19fe0b0c3420d5dbff7f2af3c8..0d13e98857b2a50e3a20816b97c8e10b1dc21e03 100644
--- a/test/test_util.py
+++ b/test/test_util.py
@@ -425,6 +425,16 @@ class TestUtil(object):
                 query="%0D%0ASET%20test%20failure12%0D%0A:8080/test/?test=a",
             ),
         ),
+        # Tons of '@' causing backtracking
+        ("https://" + ("@" * 10000) + "[", False),
+        (
+            "https://user:" + ("@" * 10000) + "example.com",
+            Url(
+                scheme="https",
+                auth="user:" + ("%40" * 9999),
+                host="example.com",
+            ),
+        ),
     ]
 
     @pytest.mark.parametrize("url, expected_url", url_vulnerabilities)