HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
{ "nvd_published_at": "2020-01-29T21:15:00Z", "cwe_ids": [ "CWE-444" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2020-02-20T20:54:33Z" }