A member of Google’s Project Zero team discovered that a specially crafted URL could trick the Git client into sending credential information for an alternative host to an attacker’s host.
In this case, the specially crafted URL just needs to contain a newline character (end of line control character) to fool the credential handling on existing Git releases to potentially sending the data off to an alternate host.