diff --git a/lib/net/http.rb b/lib/net/http.rb
index 33f8b567bd..9351606215 100644
--- a/lib/net/http.rb
+++ b/lib/net/http.rb
@@ -1178,7 +1178,8 @@ module Net   #:nodoc:
     # The username of the proxy server, if one is configured.
     def proxy_user
       if ENVIRONMENT_VARIABLE_IS_MULTIUSER_SAFE && @proxy_from_env
-        proxy_uri&.user
+        user = proxy_uri&.user
+        unescape(user) if user
       else
         @proxy_user
       end
@@ -1187,7 +1188,8 @@ module Net   #:nodoc:
     # The password of the proxy server, if one is configured.
     def proxy_pass
       if ENVIRONMENT_VARIABLE_IS_MULTIUSER_SAFE && @proxy_from_env
-        proxy_uri&.password
+        pass = proxy_uri&.password
+        unescape(pass) if pass
       else
         @proxy_pass
       end
@@ -1198,6 +1200,11 @@ module Net   #:nodoc:
 
     private
 
+    def unescape(value)
+      require 'cgi/util'
+      CGI.unescape(value)
+    end
+
     # without proxy, obsolete
 
     def conn_address # :nodoc:
diff --git a/test/net/http/test_http.rb b/test/net/http/test_http.rb
index 22448d828f..60b6d51f99 100644
--- a/test/net/http/test_http.rb
+++ b/test/net/http/test_http.rb
@@ -188,6 +188,23 @@ class TestNetHTTP < Test::Unit::TestCase
     end
   end
 
+  def test_proxy_eh_ENV_with_urlencoded_user
+    TestNetHTTPUtils.clean_http_proxy_env do
+      ENV['http_proxy'] = 'http://Y%5CX:R%25S%5D%20%3FX@proxy.example:8000'
+
+      http = Net::HTTP.new 'hostname.example'
+
+      assert_equal true, http.proxy?
+      if Net::HTTP::ENVIRONMENT_VARIABLE_IS_MULTIUSER_SAFE
+        assert_equal "Y\\X", http.proxy_user
+        assert_equal "R%S] ?X", http.proxy_pass
+      else
+        assert_nil http.proxy_user
+        assert_nil http.proxy_pass
+      end
+    end
+  end
+
   def test_proxy_eh_ENV_none_set
     TestNetHTTPUtils.clean_http_proxy_env do
       assert_equal false, Net::HTTP.new('hostname.example').proxy?