diff --git a/releases/releases.yaml b/releases/releases.yaml
index 43256960..3e6c968c 100644
--- a/releases/releases.yaml
+++ b/releases/releases.yaml
@@ -1367,3 +1367,4 @@ duktape_releases:
     - "Fix pointer overflow in String.prototype.startsWith/endsWith() with certain arguments (GH-2320)"
     - "Fix assertion failure and incorrect behavior in some enumeration cases involving inherited duplicate keys (GH-2322)"
     - "Fix unstable pointer in 'putvar' which could trigger e.g. in a with(proxy) statement (GH-2323)"
+    - "Fix unsafe behavior in JSON.stringify() when replacer argument is an array and Array.prototype has inherited index properties (GH-2202, GH-2324)"
diff --git a/src-input/duk_bi_json.c b/src-input/duk_bi_json.c
index efe0ad01..55fb3904 100644
--- a/src-input/duk_bi_json.c
+++ b/src-input/duk_bi_json.c
@@ -3021,7 +3021,7 @@ void duk_bi_json_stringify_helper(duk_hthread *thr,
 			duk_uarridx_t plist_idx = 0;
 			duk_small_uint_t enum_flags;
 
-			js_ctx->idx_proplist = duk_push_array(thr);  /* XXX: array internal? */
+			js_ctx->idx_proplist = duk_push_bare_array(thr);
 
 			enum_flags = DUK_ENUM_ARRAY_INDICES_ONLY |
 			             DUK_ENUM_SORT_ARRAY_INDICES;  /* expensive flag */
diff --git a/tests/ecmascript/test-bug-json-stringify-proplist-inherited-gh2202.js b/tests/ecmascript/test-bug-json-stringify-proplist-inherited-gh2202.js
new file mode 100644
index 00000000..15c222a3
--- /dev/null
+++ b/tests/ecmascript/test-bug-json-stringify-proplist-inherited-gh2202.js
@@ -0,0 +1,14 @@
+// https://github.com/svaarala/duktape/issues/2202
+
+/*===
+A
+B
+{}
+done
+===*/
+
+print('A');
+Object.defineProperty(Array.prototype, 0, { set: function () { } })
+print('B');
+print(String(JSON.stringify({ }, [ 0, 0])));
+print('done');