GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, located on a url = line in a .lfsconfig file within a repository.
url =
.lfsconfig
github.com/git-lfs/git-lfs/lfsapi