Node.js correctly ignores the NODE_ICU_DATA environment variable when it is running with elevated privileges (e.g. setuid root).
ICU on the other hand still honors the ICU_DATA environment variable, without regard for privilege level.
ICU is not very resilient to crafted data files but since users can select custom data files anyway with the --icu-data-dir
flag, the real-world impact is probably not much worse than what is already possible through documented means…
…which doesn’t mean it shouldn’t be fixed because scenarios where it is in fact exploitable are imaginable, just not very likely.
Suggestions: