As reported on the mailing list, when NiFi is running in unsecured mode (HTTP), a request can be intercepted (or simply be a malicious request from origin) and have a large request header injected, which can result in Jetty throwing an OutOfMemoryError.
This was reported with reference to the NCM, which indicates a 0.x release. Normal HTTP requests to the API will fail with HTTP response 413 - Request Entity Too Large. Further investigation is needed as this may only be related to cluster operations.
The setRequestHeaderSize method  should allow for prevention of this issue.
(IP address redacted)