I find it very unlikely that anyone using nginx does NOT use `set` at least.

Most nginx use cases are to end tls and then pass the request to node/php/go/etc. So, I bet you have at least one set with attacker controller data on a line like 'proxy_set_header X-Host $host;'

edit: nvm. aparently named captures are not affect. Unless you have a $1 somewhere, it should be fine.

The default NGINX PHP integration uses this:

    # regex to split $uri to $fastcgi_script_name and $fastcgi_path
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    set $path_info $fastcgi_path_info;