diff --git a/CHANGES.rst b/CHANGES.rst
index 43b65eb33a..576b5f9478 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -1,3 +1,8 @@
+v44.1.1.1
+-------
+
+* #3659: Limit the amount of whitespace to search/backtrack (CVE-2022-40897)
+
 v44.1.1
 -------
 
diff --git a/setuptools/package_index.py b/setuptools/package_index.py
index f419d47167..6854d0470d 100644
--- a/setuptools/package_index.py
+++ b/setuptools/package_index.py
@@ -214,8 +214,10 @@ def wrapper(*args, **kwargs):
     return wrapper
 
 
-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
-# this line is here to fix emacs' cruddy broken syntax highlighting
+REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
+"""
+Regex for an HTML tag with 'rel="val"' attributes.
+"""
 
 
 @unique_values
diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
index 60d968fdfa..05820bedd5 100644
--- a/setuptools/tests/test_packageindex.py
+++ b/setuptools/tests/test_packageindex.py
@@ -337,3 +337,11 @@ def test_percent_in_password(self, tmpdir, monkeypatch):
         cred = cfg.creds_by_repository['https://pypi.org']
         assert cred.username == 'jaraco'
         assert cred.password == 'pity%'
+
+
+@pytest.mark.timeout(1)
+def test_REL_DoS():
+    """
+    REL should not hang on a contrived attack string.
+    """
+    setuptools.package_index.REL.search('< rel=' + ' ' * 2**12)