A HTTP smuggling flaw was found in HttpObjectDecoder.java in Netty in versions prior to version 4.1.44. HTTP headers with an invalid fold, in this case CRLF (carriage return, line feed) without being followed by SP (space) or HTAB (horizontal tab), result in situations where headers can be misread. Data integrity is the highest threat with this vulnerability.
Use HTTP/2 instead (clear boundaries between requests)
Disable reuse of backend connections eg.
http-reuse never
in HAProxy or whatever equivalent LB settings