Exposure of Private RSA Private Key in curl GitHub Repository

Description: I discovered that a private RSA key along with its certificate is publicly accessible inside the curl GitHub repository under the file tests/data/stunnel.pem. This file contains a PEM-formatted RSA private key, which should be kept strictly confidential. Steps to Reproduce: Navigate to the following URL in the curl GitHub repo: https://github.com/curl/curl/blob/cc872ebc192f64aa6360853fbdbf0476d05b9178/tests/data/stunnel.pem View the contents of the file, which contain a private RSA key and certificate. Suggested Mitigations: Remove the private key and certificate files from the public repository immediately. If these keys are used in any environment, revoke and replace them with newly generated keys. Use environment variables or secure vaults to store sensitive keys instead of including them in source code repositories. Additional Notes: The key appears to be 1024-bit RSA with an outdated signature algorithm (md5WithRSAEncryption). The certificate validity expired long ago, indicating this might be a test key, but its public exposure is still a security risk. Consider adding scanning tools or git pre-commit hooks to prevent committing private keys in the future. If you want, I can help you tailor this report for submission or convert it into a specific bug bounty platform format. ## Impact Impact: Disclosure of private keys compromises the security of encrypted communications. If these keys are used anywhere in production or test environments, an attacker can fully compromise secure channels or authenticate maliciously. Exposure of private keys in a public repository is a critical security risk, as it could allow attackers to: Impersonate the server or service using this key Decrypt sensitive communication if the key is used in production or testing environments Conduct man-in-the-middle (MITM) attacks