The vulnerability is located in the wren compiler where the peekChar function reads past the end of a buffer, allowing an attacker with local execution rights to read arbitrary memory that belongs to the process. This memory read can disclose sensitive data such as compilation state, intermediate data structures, or even credentials if that memory region holds such values. The flaw is an unsafe memory operation, corresponding to the CWE identifiers for out‑of‑bounds read. The primary impact is confidentiality compromise, as the data read is not used to modify the program’s state, but it could assist further attacks if combined with other vulnerabilities.

The affected product is wren-lang wren, with all releases up to version 0.4.0 vulnerable. No patch or fix has been released and the maintainers have not yet responded to the issue report. Any system that compiles or interprets Wren scripts locally and uses these builds is impacted.

The CVSS score of 4.8 signifies a moderate risk, but the EPSS score of less than 1 % and the absence of a KEV listing indicate a low likelihood of real‑world exploitation at present. The vulnerability requires a local attacker to supply input that triggers the out‑of‑bounds read, so anyone who can run code in the wren compiler environment can exploit it. Although the exploit code is publicly available, the lack of a ready‑made product or remote execution path limits the threat to environments where local users have write or execute access to the compiler.