@joernchen reported an issue that could have allowed an attacker to execute arbitrary commands on a user’s computer if they had Git LFS installed and cloned a malicious repository. Git LFS supports a per-repository configuration file to customize how certain aspects of Git LFS function. However, this file also allowed arbitrary Git configuration options to be modified. We addressed the vulnerability by whitelisting the set of per-repository Git LFS configuration options that can be used to a safe subset. Users should upgrade their clients to Git LFS 1.0.1 or later to address this vulnerability.
GitHub Enterprise is not directly affected, as this is a client-side vulnerability and Git LFS is disabled on GitHub Enterprise by default. If Git LFS is enabled, users should upgrade their clients as noted above.