Project Zero team found that a specially crafted URL could make the Git client into sending credential information of an alternative host to an attacker's host. In this case, the specially crafted URL needs to contain a newline character to trick the credential handling (performs url decoding on most possible url components, no additional validation) and sending the data off to an alternate host.

Updated Now : Credential protocol code is now forbidding newline characters in any values.

More : https://lore.kernel.org/lkml/...