@NoEffex identified an issue in msys2, a dependency of GitHub Desktop for Windows, that could have allowed an attacker to execute arbitrary shell commands. When a non–Cygwin-based application executes a Cygwin-based application, a character translation is done for certain Unicode characters. As a result, a specific Unicode character was being interpreted as a double quote and could be used to perform a shell injection attack. This vulnerability was fixed in version 3.0.13 of GitHub Desktop for Windows.