@xpn identified that malicious github-windows: URLs could be crafted, leading to arbitrary remote code execution. The code checking additional arguments passed in the URL was not working as intended. This vulnerability was fixed in GitHub for Windows version 3.0.17.