diff --git a/lib/SimpleSAML/Utils/HTTP.php b/lib/SimpleSAML/Utils/HTTP.php
index 96cfc62ecc5146a83a5bafdeb4fdc877272e65dd..d14d71e5a9f2d7d18c6ed51aad0e0ea1120f6e42 100644
--- a/lib/SimpleSAML/Utils/HTTP.php
+++ b/lib/SimpleSAML/Utils/HTTP.php
@@ -341,6 +341,13 @@ class HTTP
             $components = parse_url($url);
             $hostname = $components['host'];
 
+            // check for userinfo
+            if ((isset($components['user']) && strpos($components['user'], '\\') !== false) ||
+                (isset($components['pass']) && strpos($components['pass'], '\\') !== false)
+            ) {
+                throw new \SimpleSAML_Error_Exception('Invalid URL: '.$url);
+            }
+
             // allow URLs with standard ports specified (non-standard ports must then be allowed explicitly)
             if (isset($components['port']) &&
                 (($components['scheme'] === 'http' && $components['port'] !== 80) ||