Git v2.5.0 introduced uploadpack.allowReachableSHA1InWant, which allows fetching any commit from a remote repository as long as that commit is reachable from at least one ref. This can be useful for grabbing smaller subsets of large repositories at specific commits.

Since allowReachableSHA1InWant only allows access to commits reachable from at least one ref, it's not exposing any commits to which a remote client would not already have access; it just means they can fetch such commits directly, rather than having to fetch a ref (which may include a significant amount of unnecessary data in the resulting pack) and then checkout the desired commit.