Zhiniang Peng of Qihoo 360 Core Security has discovered and disclosed a devastating vulnerability in Shadowsocks stream ciphers. Under modest assumptions, an attacker can get full decryption of recorded Shadowsocks sessions, without knowing the password. The only mitigation is to stop using stream ciphers and only use AEAD ciphers.
More detailed / easier to understand explanation in Chinese:
More detailed / easier to understand explanation in English: