@zhuowei found that malicious x-github-client: URLs could be crafted, leading to arbitrary remote code execution when visited by users. This vulnerability was fixed in version 0.5.6 of the GitHub Desktop application.
x-github-client: