The code snippet in question suffers from an argument injection vulnerability when crafting the command line for git blame, which allows attackers to create new files or overwrite existing ones. The vulnerable code uses the --output option without proper validation, allowing an attacker to execute arbitrary code on the server. Exploiting this vulnerability requires exploiting features offered by the invoked binary, such as the ability to write output to a file. The authors of the code discovered this vulnerability while analyzing their own code and decided to share it with a broader audience as part of a Capture the Flag challenge and a Code Security Advent Calendar. To exploit this vulnerability, an attacker must find a way to force Git operations to ignore the local repository and use one in their control instead, which can be done by corrupting critical files like .git/HEAD. The authors provide a solution for the challenge by creating a malicious Git configuration that uses a custom filesystem monitor daemon to execute arbitrary code.