Arbitrary Shell Command Execution

Git-fastclone has a flaw that permits execution of arbitrary shell commands from .gitmodules. Attackers can trigger the execution by instructing a user to run a recursive clone from a repository they control. The attack is possible only if a user configures Git to automatically clone submodules from untrusted sources. The git-remote-ext command will be executed if the local or remote repository is recursively cloned or submodules are updated. The attack can also be triggered when an unencrypted git clone is inserted through a Man-in-the-Middle attack and exploited.