But Nginx isn't vulnerable. All Nginx does is proxying the HTTP headers. It is the applications that run behind Nginx that may be vulnerable depending on how they set/use environment variables.
Saying Nginx is vulnerable is like saying that the Linux kernel is vulnerable to heartbleed.
Whoever the f*ck had the briliant idea to alter the environment variables of a server child process through incoming HTTP headers should have his browsers environment variables altered by the servers responses.
It's as much to blame by not, within the actual code, refusing to clear PROXY... Apache httpd isn't "vulnerable" either but it still created a code patch that ensures things don't sneak thru as WELL as proving a runtime workaround. Plus, even the nginx mailing list example shows that it's a security issue.
Saying Nginx is vulnerable is like saying that the Linux kernel is vulnerable to heartbleed.