Why this matters
The bug. On a multi-user host, anything in /tmp is shared. Knowing the script runs as user app with PID range easy to guess (or via /proc), an attacker creates /tmp/lookup-12345.txt ahead of time as a symlink. The script's redirect follows the symlink and writes to whatever it points at — files the script's user has write access to.
The fix. mktemp creates a unique file with 0600 perms and returns its name. It refuses to clobber. Modern coreutils also lets you specify a template (-t lookup.XXXXXX) for readability.
Defense in depth. Run the script in a private mount namespace, or use mktemp -d and operate inside the resulting directory.
Review heuristic
Every check-then-act over shared state is a race waiting for production load. Look for read-then-write pairs that aren't inside a transaction, a lock, or an atomic CAS. If you can articulate the bug as "if two requests arrive at the same time, both will...", it's a race.
External reference: CWE-362: Concurrent Execution using Shared Resource.
↳ CWE-377; CVE-2019-3463 (and many others).