@joernchen reported an issue that could have allowed an attacker to execute arbitrary commands on a user’s computer if they had Git LFS installed and cloned a malicious repository. Git LFS supports a per-repository configuration file to customize how certain aspects of Git LFS function. One of these configuration options is parsed and eventually used as a connection URL for an external SSH command. If an attacker crafted a malicious URL it caused SSH to interpret the host portion of the URL as a command-line flag and execute arbitrary commands using the ProxyCommand SSH option. We addressed the vulnerability by changing the way the URL is passed to SSH to prevent it from being interpreted as a flag. Users should upgrade their clients to Git LFS 2.1.1 or later to address this vulnerability.

Neither GitHub.com or GitHub Enterprise are directly affected, as this is a client-side vulnerability. However, if users are using a Git LFS client, they should upgrade their clients as noted above.