Johannes Schindelin post on the vulnerability and fix.
CVE-2021-21300: On case-insensitive filesystems, with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone.