I forget the specifics, but there was no way to exercise the module remotely. I think it was actually Apache, not nginx, and the module was not even loaded. It was one of those bullshit "medium priority" line items.
If it's the kind of report I've seen, it could've been along the lines of Package version X.Y.Z comes with M module which has V vulnerability. Upgrade to X.Y.Z+1, which patched it. They don't actually look at the enabled modules.
What happens when another dev takes over and loads the module? This sounds similar to using a vulnerable library without invoking the vulnerable function - it still could unwittingly be used in the future.