User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0

Steps to reproduce:

Enter number followed by a forward slash

Actual results:

Firefox converts the number into an IP address
POC Search: 16843009/ == http://1.1.1.1/ (cloudflare dns)
POC Search: 2130706433/ == http://127.0.0.1/ (localhost)

Expected results:

A search index of <number>%2f or 16843009%2f, to avoid accidently going to an IP address when dividing numbers. This error has a low security impact for how it could be used to get someone to visit an IP address accidently.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

This issue is probably "working as intended", because that's just how URL parsing works. The spec at https://url.spec.whatwg.org/#host-parsing has some funny examples.

Redirecting to the Networking team to ensure that we're 100% aligned with the standard.

FWIW, It's cnclear if the POC was supposed to be in the address bar, but it also works in HTML, which is why I'm pointing at the network layer.
Example:

1. in a console start a webserver that listens on port 8080, e.g. python3 -m http.server
2. Go to a web page that contains a numerical IP address in a URL. For example like so <img src="http://2130706433:8000/" />

Yes, that's expected behaviour of how URL parsing works.
See https://url.spec.whatwg.org/#ends-in-a-number-checker and https://url.spec.whatwg.org/#concept-ipv4-parser