diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 96aa4c7de..6cfc97e82 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -67,6 +67,7 @@ The <action> type attribute can be add,update,fix,remove.
     <release version="3.11.0" date="202Y-MM-DD" description="Maintenance and bug fix release (Java 8 or above).">
       <!-- FIX -->
       <action type="fix" dev="ggregory" due-to="Gary Gregory">Precompile regular expression in UnixFTPEntryParser.preParse(List&lt;String&gt;).</action>
+      <action type="fix" dev="ggregory" due-to="Gary Gregory">Guard against polynomial regular expression used on uncontrolled data in VMSVersioningFTPEntryParser.</action>
       <!-- ADD -->
       <action type="add" issue="NET-726" dev="ggregory" due-to="PJ Fanning, Gary Gregory">Add protected getters to FTPSClient #204.</action>
       <action type="add" dev="ggregory" due-to="Gary Gregory">Add SubnetUtils.toString().</action> 
diff --git a/src/main/java/org/apache/commons/net/ftp/parser/VMSVersioningFTPEntryParser.java b/src/main/java/org/apache/commons/net/ftp/parser/VMSVersioningFTPEntryParser.java
index 5f7635163..a74eac266 100644
--- a/src/main/java/org/apache/commons/net/ftp/parser/VMSVersioningFTPEntryParser.java
+++ b/src/main/java/org/apache/commons/net/ftp/parser/VMSVersioningFTPEntryParser.java
@@ -43,7 +43,13 @@
  */
 public class VMSVersioningFTPEntryParser extends VMSFTPEntryParser {
 
-    private static final String REGEX = "(.*?);([0-9]+)\\s*.*";
+    /**
+     * Guard against polynomial regular expression used on uncontrolled data.
+     * Don't look for more than 20 digits for the version.
+     * Don't look for more than 80 spaces after the version.
+     * Don't look for more than 80 characters after the spaces.
+     */
+    private static final String REGEX = "(.*?);([0-9]{1,20})\\s{0,80}.{0,80}";
     private static final Pattern PATTERN = Pattern.compile(REGEX);
 
     /**