A major security vulnerability referenced as the CVE-2014-6271 and so-called as the Shellshock Bug has been found recently in the GNU Bash shell. Historically, Bash is actively used to create CGI programs and many of the Apache HTTP Server instances become vulnerable to the Shellshock Bug. VisualSVN Server uses a highly-isolated Apache HTTP Server instance to provide HTTP(S) access to Subversion repositories. The great news is that VisualSVN Server does not include the Bash package, so we confirm that default VisualSVN Server installations are NOT affected by the Shellshock Bug.
As it said above, VisualSVN Server does not include the Bash package and Bash is not involved in the normal operation of VisualSVN Server. However, it is recommended to check if you have Subversion hook scripts executed using a third-party Windows port of the GNU Bash. It’s highly recommended to install the corresponding hotfix if you have a third-party Bash package installed.
Note that even if you have Subversion hook scripts executed using third-party Bash package, the risks are still relatively average because Subversion hooks cannot be triggered if a user does not have appropriate access permissions to the corresponding repository.