diff --git a/spring-web/src/main/java/org/springframework/web/util/WebUtils.java b/spring-web/src/main/java/org/springframework/web/util/WebUtils.java
index 2821b5e2fb..c406c506f7 100644
--- a/spring-web/src/main/java/org/springframework/web/util/WebUtils.java
+++ b/spring-web/src/main/java/org/springframework/web/util/WebUtils.java
@@ -33,6 +33,9 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
 import org.springframework.http.HttpRequest;
 import org.springframework.util.Assert;
 import org.springframework.util.LinkedMultiValueMap;
@@ -131,6 +134,8 @@ public abstract class WebUtils {
 	/** Key for the mutex session attribute */
 	public static final String SESSION_MUTEX_ATTRIBUTE = WebUtils.class.getName() + ".MUTEX";
 
+	private static final Log logger = LogFactory.getLog(WebUtils.class);
+
 
 	/**
 	 * Set a system property to the web application root directory.
@@ -786,7 +791,14 @@ public abstract class WebUtils {
 			return true;
 		}
 		else if (allowedOrigins.isEmpty()) {
-			UriComponents originComponents = UriComponentsBuilder.fromHttpUrl(origin).build();
+			UriComponents originComponents;
+			try {
+				originComponents = UriComponentsBuilder.fromHttpUrl(origin).build();
+			}
+			catch (IllegalArgumentException ex) {
+				logger.error("Failed to parse Origin header value [" + origin + "]");
+				return false;
+			}
 			UriComponents requestComponents = UriComponentsBuilder.fromHttpRequest(request).build();
 			int originPort = getPort(originComponents);
 			int requestPort = getPort(requestComponents);
diff --git a/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java b/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java
index e0a66ce26e..be8a2cec53 100644
--- a/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java
+++ b/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java
@@ -142,6 +142,10 @@ public class WebUtilsTests {
 		request.getHeaders().set(HttpHeaders.ORIGIN, "https://mydomain1.com");
 		assertFalse(WebUtils.isValidOrigin(request, allowedOrigins));
 
+		servletRequest.setServerName("invalid-origin");
+		request.getHeaders().set(HttpHeaders.ORIGIN, "invalid-origin");
+		assertFalse(WebUtils.isValidOrigin(request, allowedOrigins));
+
 		allowedOrigins = Arrays.asList("*");
 		servletRequest.setServerName("mydomain1.com");
 		request.getHeaders().set(HttpHeaders.ORIGIN, "http://mydomain2.com");