diff --git a/source/common/network/utility.cc b/source/common/network/utility.cc
index b6b90c5a8acc2..aeef34dd5c0bb 100644
--- a/source/common/network/utility.cc
+++ b/source/common/network/utility.cc
@@ -90,6 +90,11 @@ uint32_t portFromUrl(const std::string& url, const std::string& scheme,
     throw EnvoyException(fmt::format("malformed url: {}", url));
   }
 
+  size_t rcolon_index = url.rfind(':');
+  if (colon_index != rcolon_index) {
+    throw EnvoyException(fmt::format("malformed url: {}", url));
+  }
+
   try {
     return std::stoi(url.substr(colon_index + 1));
   } catch (const std::invalid_argument& e) {
diff --git a/test/common/network/utility_test.cc b/test/common/network/utility_test.cc
index fe738d359e36a..335271422d671 100644
--- a/test/common/network/utility_test.cc
+++ b/test/common/network/utility_test.cc
@@ -29,6 +29,7 @@ TEST(NetworkUtility, Url) {
   EXPECT_THROW(Utility::hostFromTcpUrl("tcp://foo"), EnvoyException);
   EXPECT_THROW(Utility::portFromTcpUrl("tcp://foo"), EnvoyException);
   EXPECT_THROW(Utility::portFromTcpUrl("tcp://foo:bar"), EnvoyException);
+  EXPECT_THROW(Utility::portFromTcpUrl("tcp://https://foo:1234"), EnvoyException);
   EXPECT_THROW(Utility::hostFromTcpUrl(""), EnvoyException);
   EXPECT_THROW(Utility::portFromTcpUrl("tcp://foo:999999999999"), EnvoyException);
 }
@@ -40,6 +41,7 @@ TEST(NetworkUtility, udpUrl) {
   EXPECT_THROW(Utility::portFromUdpUrl("bogus://foo:1234"), EnvoyException);
   EXPECT_THROW(Utility::hostFromUdpUrl("tcp://foo"), EnvoyException);
   EXPECT_THROW(Utility::portFromUdpUrl("tcp://foo:1234"), EnvoyException);
+  EXPECT_THROW(Utility::portFromUdpUrl("udp://https://foo:1234"), EnvoyException);
   EXPECT_THROW(Utility::hostFromUdpUrl(""), EnvoyException);
   EXPECT_THROW(Utility::portFromUdpUrl("udp://foo:999999999999"), EnvoyException);
 }