This is some fancy stuff. Strictly speaking, these aren’t issues in the HTTP/2 protocol. However, with many websites using HTTP/1.1 for their backend communication, the translation from HTTP/2 to HTTP/1.1 becomes a major source of vulnerabilities due to insufficient validation.
Having gone more thoroughly through the spec (thanks @x_cli): yes, HTTP/2 spec does have rules to make conversion from HTTP/2 to HTTP/1.1 safer. In some cases these rules were ignored, but sometimes these were just not strict enough. E.g. allowing both :authority and Host headers is a bad idea.
As @firstname.lastname@example.org points out, Transfer-Encoding is indeed forbidden. While I’ve seen the relevant spec section (126.96.36.199), I initially interpreted it as only relevant for HTTP/1.1 to HTTP/2 transition. This is actually not the case.
A Mastodon instance for info/cyber security-minded people.