While the only permitted drive letters for physical drives on Windows are letters of the US-English alphabet, this restriction does not apply to virtual drives assigned via subst <letter>:<path>. Git mistook such paths for relative paths, allowing writing outside of the worktree while cloning. References: https://kernel.googlesource.com/pub/scm/git/git/+/refs/tags/v2.24.1/Documentation/RelNotes/2.14.6.txt CREATE(Triage):(User=admin) CVE-2019-1351 (https://nvd.nist.gov/vuln/detail/CVE-2019-1351)