CVE-2018-9230

In OpenResty before 1.13.6.1, URI parameters were obtained using the ngx.req.get_uri_args and ngx.req.get_post_args functions that ignore parameters beyond the hundredth one, which might allow remote attackers to bypass intended access restrictions or interfere with certain Web Application Firewall (ngx_lua_waf or X-WAF) products.

Source: CVE-2018-9230