The dompdf library, a popular PDF generation library used extensively within the PHP ecosystem, has been found to have a remote code execution (RCE) vulnerability due to its handling of custom font styles and loading of external style sheets. Researchers from Positive Security discovered that by manipulating these features, an attacker could load arbitrary PHP code into a PDF file, which would then be executed on the target server. This vulnerability affects versions 0.8.5 and above of dompdf, with no fix currently available. To mitigate this issue, developers can disable the loading of custom fonts or restrict access to the Composer install location, or use alternative libraries that do not have this vulnerability. The vulnerability was first identified by researchers who created a working demo using the php-goof application on a Snyk GitHub repo, showcasing how an attacker could exploit it to execute arbitrary PHP code.