A recently revealed flaw in Git could allow an attacker to execute arbitrary remote code by infecting a Git project. The exploit, assigned a Common Vulnerabilities and Exposures (CVE) number of CVE-2018-11235, is triggered when users recursively clone repositories that contain a malicious .gitmodules file. The exploit essentially functions like a directory traversal attack that uses .gitmodules files as its starting point.
The exploit, according to the NIST National Vulnerability Database, affects all versions of Git "before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1.".