@staaldraad discovered a vulnerability in Git that allows a repository containing submodules to be crafted in a way that a new post-checkout hook will be installed for the submodule being cloned. This hook will trigger and lead to code execution when the repository is being cloned. Because GitHub Pages supports submodules, this could be used to gain code execution in the build phase of GitHub Pages on both GitHub.com and GitHub Enterprise. We immediately mitigated the vulnerability by temporarily disabling support for submodules within page builds, and shortly after reverted that change once a proper fix was implemented in Git and deployed to production.

This vulnerability in Git was assigned CVE-2018-11235, and has been fixed in Git v2.13.7, v2.14.4, v2.15.2, v2.16.4, v2.17.1.

This has been fixed in GitHub Enterprise 2.10.22, 2.11.16, 2.12.10, 2.13.2.