Server-side Request Forgery (SSRF)
A vulnerability has been found in git, which also can be triggered through the Kallithea UI. An attacker could make Kallithea execute a 'git clone' with a specially crafted URL, which allows them to send arbitrary packets into the local network accessible from the server.
Please find more details on the reporter's website 
Thanks to stypr of Flatt Security for reporting this vulnerability.
Resolution / Affected versions
While the issue is actually in the
git client, a mitigation is added to
Kallithea release 0.6.3. Users are advised to upgrade as soon as possible.
To our knowledge, no
git version with a fix of the root cause has been
Mercurial changeset fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/a8a51a3bdb6181e498a862f84eb2d50928330a68
Blog post by the reporter (stypr) https://blog.harold.kim/2020/11/invalid-url-on-git-clone-leading-to-ssrf