Severe, but you also need to use quite specific configuration to be vulnerable. I can imagine this pattern to be widespread in some classical PHP applications deployed via nginx.

better links:

https://depthfirst.com/research/nginx-rift-achieving-nginx-r... (https://news.ycombinator.com/item?id=48126029)

https://depthfirst.com/nginx-rift (https://news.ycombinator.com/item?id=48123365)