Because the feature is patched, you cannot trigger it on the live BBC site. However, the internet never forgets. Enthusiasts have archived the following:
On May 24th and 25th, 2025, users across the UK and beyond began noticing something strange. When visiting certain legacy or interactive subdomains of the BBC (particularly those tied to the BBC iPlayer’s experimental feature labs and the CBeebies "Make It" section), entering a specific code—bbcsurprise—unlocked a hidden modal window.
But this wasn’t just any error message or a generic “Congratulations.” The surprise was hyper-personalized. If the user input the code on or around their birthday (based on cookie data or a manual date entry field), the BBC would launch a full-screen, audio-enriched celebration featuring Sage, the adorable, anthropomorphic garden herb from the popular children’s show Sage’s Kitchen Garden.
The year (24/05/25) refers to the specific 24-hour window when the Easter egg was active: from 00:01 GMT on May 24, 2025, to 23:59 GMT on May 25, 2025.
For adults, seeing “Sage” as the centerpiece of a tech surprise was confusing. Why not Blue Peter’s badge? Why not Doctor Who’s TARDIS? The answer lies in the BBC’s internal 75th anniversary of Children’s Programming. bbcsurprise 24 05 25 sage bbc birthday surprise patched
Sage the herb was part of a limited-run interactive series about gardening, cooking, and memory. In the show’s lore, Sage represents wisdom and remembrance—making it the perfect character to deliver birthday messages. The “bbcsurprise” script was originally written as a one-off gift for the voice actor of Sage, whose birthday falls on May 25th.
However, when the code was accidentally left in a production build of the BBC’s front-end JavaScript bundle, the entire internet discovered it.
According to archived forum posts from late May 2025, users navigating the BBC iPlayer’s experimental “Sandbox” mode (a hidden developer menu accessible via a specific console command on the web version) discovered an undocumented endpoint:
/bbcsurprise?date=240525&user=sage
When loaded while logged into a standard BBC account, the endpoint served a fully produced, 45-second animated birthday video. The video featured the beloved Wallace & Gromit characters (Aardman Animations, a long-time BBC partner) singing a custom “Happy Birthday” song, with the name “Sage” integrated into the lyrics, alongside floating numbers 24, 05, 25.
The animation was not low-quality: professional voice acting, 4K resolution, and a credit roll mentioning “BBC Interactive – Special Projects.”
Reddit user u/Wirehead_Wanderer posted on May 24, 2025 at 14:32 GMT:
“Just triggered ‘bbcsurprise’ on iPlayer web beta. It gave me a full birthday video for someone named Sage. The date 24-05-25 is hardcoded. I tried changing the URL param ‘user=sage’ to my own name – it defaulted back to Sage. Definitely a one-off.” Because the feature is patched , you cannot
Another user, @techsplorer, tweeted:
“BBC accidentally left a private birthday surprise live for a producer’s kid named Sage. Date: 24 May 2025. It’s adorable. Also a security risk. #bbcsurprise”
Within four hours, the hashtag #BBCSurprise trended locally in the UK.
Cybersecurity expert Dr. Mira Kessler (University of Cambridge) commented: “Just triggered ‘bbcsurprise’ on iPlayer web beta
“The bbcsurprise bug was charming but dangerous. Once users saw they could inject dates, the next step was testing for SQL injection or auth bypass. The BBC was lucky this was just a birthday video—not a backdoor.”