Example code and a full description can be found here: https://github.com/n0npax/dart-test-http2

Basically, a header like the one below was accepted by the library and passed to the downstream service.

  var headers = [
// ...
    Header.ascii(':scheme', uri.scheme),
    Header.ascii('test0', "llama0\r\nHackiery: example.com"),
    Header.ascii('test1', "llama1"),
// ...
  ]
  var stream = transport.makeRequest(headers, endStream: true);

The request was interpreted by the server as:

Remote-Addr: 127.0.0.1
Host: localhost
Test0: llama0
Hackiery: example.com
Test1: llama1
Test2: llama2

As you can see Hackiery: example.com was interpreted as a new header.

This looks like a CRLF injection/header forgery issue.
I believe this is a security risk if the user can manipulate a header value.

Wrong description. Issue may not be crlf, but just not validated header. Need to check if this is real issue