diff --git a/src/proxy-capture/proxy-server.test.ts b/src/proxy-capture/proxy-server.test.ts
index 3dea2f2e887..fc120f527f3 100644
--- a/src/proxy-capture/proxy-server.test.ts
+++ b/src/proxy-capture/proxy-server.test.ts
@@ -18,5 +18,7 @@ describe("parseConnectTarget", () => {
 
   it("rejects invalid CONNECT ports", () => {
     expect(() => parseConnectTarget("[::1]:99999")).toThrow("Invalid CONNECT target port");
+    expect(() => parseConnectTarget("api.openai.com:1e3")).toThrow("Invalid CONNECT target port");
+    expect(() => parseConnectTarget("api.openai.com:0x50")).toThrow("Invalid CONNECT target port");
   });
 });
diff --git a/src/proxy-capture/proxy-server.ts b/src/proxy-capture/proxy-server.ts
index b62b1f88673..8542e291acc 100644
--- a/src/proxy-capture/proxy-server.ts
+++ b/src/proxy-capture/proxy-server.ts
@@ -64,6 +64,9 @@ export function parseConnectTarget(rawTarget: string | undefined): {
   }
   const hostname = trimmed.slice(0, lastColon).trim() || "127.0.0.1";
   const portText = trimmed.slice(lastColon + 1).trim();
+  if (!/^\d+$/.test(portText)) {
+    throw new Error("Invalid CONNECT target port");
+  }
   const port = Number(portText);
   if (!Number.isInteger(port) || port < 1 || port > 65535) {
     throw new Error("Invalid CONNECT target port");