A critical security vulnerability in Git client that affects all related software that interacts with Git repositories, including GitHub for Windows and GitHub for Mac was announced on Thursday.
The advisory warns that the bug could be exploited to allow for remote code execution if an attacker crafts a malicious Git tree that causes Git to overwrite its .git/config file when cloning or checking a repository. Linux clients are not affected if they run in a case-sensitive file system.
GitHub and GitHub Enterprise users should update their clients as soon as possible and be cautious when cloning or accessing Git repositories hosted on unsafe or untrusted hosts. Updated versions of Github for both Mac and Windows are available for download.
Any repositories hosted on github.com cannot contain malicious trees because they are being verified and blocked.