diff --git a/Library/Homebrew/cask/installer.rb b/Library/Homebrew/cask/installer.rb
index 79ffc3dcc7..de73305989 100644
--- a/Library/Homebrew/cask/installer.rb
+++ b/Library/Homebrew/cask/installer.rb
@@ -11,8 +11,6 @@ require "cask/migrator"
 require "cask/quarantine"
 require "cask/tab"
 
-require "cgi"
-
 module Cask
   # Installer for a {Cask}.
   class Installer
diff --git a/Library/Homebrew/download_strategy.rb b/Library/Homebrew/download_strategy.rb
index 82cb409a5b..103b3a314c 100644
--- a/Library/Homebrew/download_strategy.rb
+++ b/Library/Homebrew/download_strategy.rb
@@ -5,7 +5,6 @@ require "json"
 require "time"
 require "unpack_strategy"
 require "lazy_object"
-require "cgi"
 require "lock_file"
 require "system_command"
 
@@ -384,9 +383,12 @@ class AbstractFileDownloadStrategy < AbstractDownloadStrategy
     if url.match?(URI::DEFAULT_PARSER.make_regexp)
       uri = URI(url)
 
-      if uri.query
-        query_params = CGI.parse(uri.query)
-        query_params["response-content-disposition"].each do |param|
+      if (uri_query = uri.query.presence)
+        URI.decode_www_form(uri_query).each do |key, param|
+          components[:query] << param if search_query
+
+          next if key != "response-content-disposition"
+
           query_basename = param[/attachment;\s*filename=(["']?)(.+)\1/i, 2]
           return File.basename(query_basename) if query_basename
         end
@@ -397,10 +399,6 @@ class AbstractFileDownloadStrategy < AbstractDownloadStrategy
           URI::DEFAULT_PARSER.unescape(part).presence
         end
       end
-
-      if search_query && (uri_query = uri.query.presence)
-        components[:query] = URI.decode_www_form(uri_query).map { _2 }
-      end
     else
       components[:path] = [url]
     end
diff --git a/Library/Homebrew/version.rb b/Library/Homebrew/version.rb
index acf6d440de..8d455e75fb 100644
--- a/Library/Homebrew/version.rb
+++ b/Library/Homebrew/version.rb
@@ -346,7 +346,8 @@ class Version
 
   sig { params(spec: T.any(String, Pathname), detected_from_url: T::Boolean).returns(Version) }
   def self.parse(spec, detected_from_url: false)
-    spec = CGI.unescape(spec.to_s) if detected_from_url
+    # This type of full-URL decoding is not technically correct but we only need a rough decode for version parsing.
+    spec = URI.decode_www_form_component(spec.to_s) if detected_from_url
 
     spec = Pathname(spec)