Organizations that use Git as a code repository are vulnerable to an attack through submodules. The vulnerability, described in CVE-2018-17456, can allow arbitrary code to be executed when a user clones a subdirectory containing malicious code. The option-injection flaw was reported through the GitHub Bug Bounty program on September 23, with a coordinated disclosure date of October 5. GitHub Desktop, Atom, the CLI version of Git, and applications that might have embedded Git are all affected by the vulnerability.”]
Source: https://www.darkreading.com/cloud/git-gets-patched-for-newly-found-flaw