php-dompdf is vulnerable to Deserialization of Untrusted Data. The library is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents()
function. If an attacker can upload files of any type to the server, they can pass in the phar://
protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution when DOMPdf is used with frameworks with documented POP chains.