Legitimate redos test case?

[DevBrent]

If I am not mistaken, this CVE can only be triggered in one of these fairly absurd cases where you're already under attack with nothing less than arbitrary code execution.

• Someone is actively using get-func-name to process user-generated functions you've already evaluated and then passed the evaluated function into get-func-name.
• Supply-chain code that has been maliciously modified to have an attack function definition in it AND your code arbitrarily calls get-func-name on this supply -chain code's function.
• Supply-chain code that maliciously monkey patches function.prototype.toString or the function's own toString with the attack string.

Are there any legitimate test cases (making this a legitimate vulnerability) for this CVE, or did this just get fixed for the sake of responding to the CVE in a timely manner? This is a significant issue in the NPM ecosystem and I'd like to understand if this purely a problem of the CVE classification system or if there are other elements at work here.

Yes, it could be improved but a CVE at all let alone a HIGH SEVERITY CVE is masking more important work out there in the high severity range with legitimate reproduction steps.

GHSA-4q6p-r6v2-jvc5

I don't see how this is a network / remotely triggerable vulnerability that warrants a high CVE score like this.