This one is a bit of a cross-user attack on the same machine, as git when executed in a directory that doesn’t have a .git folder, will traverse upward looking for the .git/ of the repo. The problem is if one accidentally invokes git while not in a repository it’ll look in some potentially untrusted locations as it traverses by defualt all the way to the root of the storage. This does require an attacker be able to create a directory in a parent directory so there is a bit of an ask there.

Once a malicious .git/ is created, some configuration options can cause arbitrary commands ot be executed allowing an attacker to execute commands as the victim user.