isomorphic-git before 1.8.2 allows Directory Traversal via a crafted repository.
The MITRE CVE dictionary describes this issue as: