diff --git a/services/web/app/src/Features/History/HistoryController.mjs b/services/web/app/src/Features/History/HistoryController.mjs
index 7fcb6357fb..39d07137f0 100644
--- a/services/web/app/src/Features/History/HistoryController.mjs
+++ b/services/web/app/src/Features/History/HistoryController.mjs
@@ -383,8 +383,16 @@ async function deleteLabel(req, res, next) {
   res.sendStatus(204)
 }
 
+const downloadZipOfVersionSchema = z.object({
+  params: z.object({
+    project_id: zz.objectId(),
+    version: z.coerce.number().int().min(0),
+  }),
+})
+
 async function downloadZipOfVersion(req, res, next) {
-  const { project_id: projectId, version } = req.params
+  const { params } = parseReq(req, downloadZipOfVersionSchema)
+  const { project_id: projectId, version } = params
   const userId = SessionManager.getLoggedInUserId(req.session)
 
   const project = await ProjectDetailsHandler.promises.getDetails(projectId)
diff --git a/services/web/modules/history-v1/test/acceptance/src/HistoryTests.mjs b/services/web/modules/history-v1/test/acceptance/src/HistoryTests.mjs
index 11fd0d337a..dd66827fbc 100644
--- a/services/web/modules/history-v1/test/acceptance/src/HistoryTests.mjs
+++ b/services/web/modules/history-v1/test/acceptance/src/HistoryTests.mjs
@@ -212,6 +212,24 @@ describe('History', function () {
         )
       })
     })
+
+    it('should return 404 for invalid version', function (done) {
+      this.owner.createProject('example-project', (error, projectId) => {
+        if (error) {
+          return done(error)
+        }
+        this.owner.request(
+          `/project/${projectId}/version/invalid/zip`,
+          (error, response) => {
+            if (error) {
+              return done(error)
+            }
+            expect(response.statusCode).to.equal(404)
+            done()
+          }
+        )
+      })
+    })
   })
 
   describe('zip download, with upstream 404', function () {