@joernchen discovered that the command-line git clone tool does not correctly sanitize submodule URLs. When cloning submodules, for example using git clone --recurse-submodules or git submodule update, the URL of a submodule could be interpreted as a command-line argument to git clone.

As GitHub Desktop recursively clones submodules by default, @joernchen was able to provide a full proof-of-concept that this bug could could trigger arbitrary code execution when cloning a malicious repository. No impact was identified within GitHub.com or in GitHub Enterprise.

We addressed the vulnerability by working with the upstream Git project to fix this specific argument injection and add stricter parameter checks to prevent similar issues in the future. CVE-2018-17456 has been assigned to this vulnerability and can be found in the National Vulnerability Database. On GitHub.com we also added detection for potentially malicious repositories to prevent the exploitation of outdated Git clients.