@kyprizel discovered a way to inject limited request headers to internal Git proxy requests. While we were unable to find a way for an attacker to exploit the issue, the behavior was potentially dangerous and warranted a fix. We addressed the vulnerability by ensuring that the content-length header could not be injected and that the valid content-length header accurately represents the content ensuring other headers cannot be injected.

This issue has been fixed in GitHub Enterprise 2.8.7, 2.7.11, 2.6.16, 2.5.21, and 2.4.23.