Control Character vulnerability - mitigated?

We’re using Kong Gateway 2.6 (upgrading soon) in Kubernetes, and have been informed by a client using our software that their security scan indicated a vulnerability related to using special characters (ex. 0x09) in a URL to manipulate the path/resource returned. From what I can understand, this appears to have been remedied/mitigated in nginx through this commit: Disabled control characters in URIs. · nginx/nginx@0b66bd4 (

Does this apply to Kong as well? My understanding is Kong uses NGINX under the hood, but I’m not certain.

Our path is: (client app) → CloudFront → AWS NLB → Kong → (Flask backend app)