That's not really nginx's fault, its behaviour is quite sensible. The main problem is that PHP does some poorly-documented magic behind the scenes[1] that modifies the information nginx gives it in a way that causes security issues. The solution is not to do that; if you really need the path-splitting functionality that cgi.fix_pathinfo provides, it's better and safer to set fastcgi_split_path_info in the nginx configuration instead.