GHSA-2phg-qgmm-r638: Sliver has Potential Zip Bomb Denial of Service in GzipEncoder

February 25, 2026 (updated February 27, 2026)

GzipEncoder does not limit output size when processing compressed data. This allows unauthenticated remote attackers to crash sliver server by sending a http request with highly compressed gzip data (aka zip bomb).

References

github.com/BishopFox/sliver
github.com/BishopFox/sliver/commit/0cf5a47cfdf94b6ab481ec3ea0db09f31654c0f0
github.com/BishopFox/sliver/releases/tag/v1.7.2
github.com/BishopFox/sliver/security/advisories/GHSA-2phg-qgmm-r638
github.com/advisories/GHSA-2phg-qgmm-r638
pkg.go.dev/vuln/GO-2026-4548

Code Behaviors & Features

Detect and mitigate GHSA-2phg-qgmm-r638 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →