diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2929ff8f..7661e4d7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+### 0.11.7 (2017-06-01)
+
+*   Fix security vulnerability in parsing JSON from the DB (by specifying create_additions: false). This shouldn't be a concern unless you were passing untrusted user input in your job arguments. (hmac)
+
 ### 0.11.6 (2016-07-01)
 
 *   Fix for operating in nested transactions in Rails 5.0. (#160) (greysteil)
diff --git a/lib/que/adapters/base.rb b/lib/que/adapters/base.rb
index 222f6efa..f2705dda 100644
--- a/lib/que/adapters/base.rb
+++ b/lib/que/adapters/base.rb
@@ -102,7 +102,7 @@ def execute_prepared(name, params)
       CAST_PROCS[1184] = Time.method(:parse)
 
       # JSON.
-      CAST_PROCS[114] = JSON_MODULE.method(:load)
+      CAST_PROCS[114] = -> (value) { JSON_MODULE.load(value, create_additions: false) }
 
       # Boolean:
       CAST_PROCS[16] = 't'.method(:==)
diff --git a/lib/que/version.rb b/lib/que/version.rb
index 8006c0a2..4cf87a79 100644
--- a/lib/que/version.rb
+++ b/lib/que/version.rb
@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Que
-  Version = '0.11.6'
+  Version = '0.11.7'
 end