diff --git a/lib/rubygems/gemcutter_utilities/webauthn_listener.rb b/lib/rubygems/gemcutter_utilities/webauthn_listener.rb
index abf65efe37..7a692d9192 100644
--- a/lib/rubygems/gemcutter_utilities/webauthn_listener.rb
+++ b/lib/rubygems/gemcutter_utilities/webauthn_listener.rb
@@ -85,10 +85,17 @@ module Gem::GemcutterUtilities
     end
 
     def parse_otp_from_uri(uri)
-      require "cgi"
+      query = uri.query
+      return unless query && !query.empty?
 
-      return if uri.query.nil?
-      CGI.parse(uri.query).dig("code", 0)
+      query.split('&') do |param|
+        key, value = param.split('=', 2)
+        if value && Gem::URI.decode_www_form_component(key) == "code"
+          return Gem::URI.decode_www_form_component(value)
+        end
+      end
+
+      nil
     end
 
     class SocketResponder